Author Archives: privacynewshighlights

16-31 May 2015


WW – Facial-Recognition Software Addresses Privacy Concerns

Affectiva, a company that utilizes its facial-recognition software to measure reactions to advertisements and videos, addresses potential privacy concerns with its methods in a recent Advertising Age feature. While the company usually works with “opt-in” volunteers in a method akin to a focus group, it also places “huge emphasis on analyzing ads ‘in the wild,’” the article reports. Says Affectiva CEO Ken Denman, “We keep the metadata. We discard the image.” Unnamed Affectiva executives also confirmed that the company reserves its real-time analysis for “public venues” in which the individuals “are already being filmed.” [Full Story]

EU – Controversial Face Recognition Software Is Being Used by Police Scotland

IMAGES of hundreds of thousands of Scots are contained on a controversial facial recognition database that is being used by the national police force, raising fresh fears over civil liberties. Officers have admitted to using the special technology, which attempts to identity faces captured on CCTV and other images, on more than 400 occasions. In addition, Police Scotland said it has uploaded hundreds of thousands of mugshots onto a UK-wide police database used as a the main resource for facial recognition searches. Details of Police Scotland’s use of the technology were revealed in response to a Freedom of Information request. Independent watchdog Alastair MacGregor, the UK’s Biometrics Commissioner, has warned it may include hundreds of thousands of images of innocent people, raising questions about privacy. MPs on the Commons science and technology committee said they were “alarmed” to learn facial recognition technology could be used on pictures of innocent people. The database has continued to grow despite a High Court ruling in England which called on some forces to revise their procedures. [The Sunday Herald]

WW – Your Next Password Could Be Your Brain

According to New Scientist, researchers found that volunteers’ brains had a reaction to each of 75 acronyms (e.g., FBI, DVD) in a way that was unique to each individual. The difference between the volunteers’ brain reactions was enough for the system to pinpoint their identities with accuracy of up to 94%. The study, from Neurocomputing, is titled – appropriately enough – Brainprint. The work was done by a group of researchers from the Basque Center for Cognition and Binghamton University. This isn’t the first time that unique brain activity has been looked at as a potential authentication factor. [NakedSecurity]

US – Photos, Facial-Recognition and the Grocery Store Project

The Grocery Store Project  was created by Simon Høgsberg using one camera to photograph 97,000 people outside a supermarket over a 21-month period. “Then he used facial recognition software to create a pedestrian survey of the people rushing past for his interactive series,” the report states, which “documents the intersecting lives of people who pass by each other almost daily, and it creates a fascinating ‘map’ showing how these lives converge.” The project “weaves together 457 people who happened to walk in front of his lens.” In all, he’s “identified and named 11,000 individuals,” the report states, noting only two people “said they didn’t want to be photographed,” and if anyone asked, Høgsberg told them he was “making a visual analysis of the Danish culture.” [Wired]

Big Data

WW – Big Data and the Potential for Racism? CMU Fellows Plan to Find Out

Alessandro Acquisti, professor at Carnegie Mellon University, is using his tenure as a Carnegie Corporation fellow to study the negative effects of data tracking-such as racial profiling. Cited as impetus was an October research initiative that found job candidates who identified as Muslim online were considered less for employment opportunities in neighborhoods with a majority of Republican voters. “If the market for information is not carefully regulated, big data can lead to a serious imbalance of power between individuals, whose information can be so easily exploited for profit, at times even unbeknownst to individuals, and companies, organizations and governments that have the upper hand,” said Laura Brandimarte, who coauthored a paper with Acquisti. []

WW – Frick: Data Tracking Paints a Pretty—Not Fretful—Picture

The use of data for art can take the sting out of “Big Brother,” data artist Laurie Frick argues. Frick, who uses information gleaned from apps and personal journals to create her works, is among a rising coterie of artists who see data as a “metaphor for the human experience,” or more specifically, according to Frick, “an essential idea of who we are.” She tells The Atlantic, “I think people are at a point where they are sick of worrying about who is or isn’t tracking their data. I say, run toward the data. Take your data back and turn it into something meaningful.” [Source] [The Musician Who Sees Life Through the Prism of PRISM]

US – Online Trust Alliance to Lead IoT Initiative

The Online Trust Alliance (OTA) has announced it is leading an initiative to develop a security, privacy and sustainability trust framework for Internet of Things (IoT) devices. The framework aims to provide clarity and confidence to consumers and will initially focus on connected home and wearable/fitness technologies, according to a press release. OTA hopes to use the framework as the basis for a potential certification program for IoT devices and their manufacturers. OTA’s Craig Spiezle said because of the rapid development of IoT products on the market “we must ensure that security and privacy best practices are integrated to maximize consumer protection.” A working group meeting is scheduled for June 16. [Full Story]

WW – How to Increase Value, Mitigate Risk

Accenture reports how organizations can preserve and increase the potential of personal data using five principles of corporate digital responsibility: stewardship, transparency, empowerment, equity and inclusion. In a recent Accenture survey of nearly 600 businesses globally, 79% of respondents said their companies collect data directly from individuals—such as online customer accounts, for example—as well as from commercial or data-sharing partnerships, connected devices and third-party data suppliers. “This data generates benefits for both businesses and customers—chief among them being the ability to deliver better customer experiences, enter new markets and make products more innovative,” the report states, noting that, at the same time, regulations are changing and regulators are increasing their scrutiny of businesses’ data practices. [Full Story]


CA – Oppositions Mounting to Bill C-51

Bill C-51 is just one aspect of the alarming privacy deficit the government has created. In the last 12 months alone we’ve seen stunning revelations about how the government’s spy agency CSE is spying on Canadians’ private online activities, and even on private emails that Canadians send to Members of Parliament. And we’ve seen Justice Minister Peter MacKay’s Online Spying Bill C-13 become law, despite opposition from three in four Canadians. Enough is enough: if there was one message coming through loud and clear from participants in our crowdsourcing process, it’s that Canadians are sick and tired of the seemingly endless series of government attacks on their privacy. The OpenMedia “pro-privacy action plan“ has garnered the endorsement of a diverse group of advocacy and activist groups from across the ideological spectrum, including PEN Canada, the Canadian Constitution Foundation, Greenpeace and the National Firearms Association. And while he says that he hasn’t yet had the chance to review its findings in detail, federal privacy watchdog Daniel Therrien “welcomes” the initiative. “I believe it’s extremely important for Canadians to be involved in the debate around government surveillance and the kind of country we want,” he said in a written statement provided to CBC News. [Rabble: Liberals vs. liberties: Why Trudeau supports Bill C-51] [C-51: Crowdsourced report aims to stop Canada’s slide into ‘surveillance society’ Canada at a ‘tipping point,’ privacy advocates warn] [HuffPost: Could This Be the Antidote to Bill C-51?] . [Canada’s National Security Agencies Need Parliamentary Oversight] [Think anyone’s going to repeal C-51? Don’t hold your breath]

CA – Spy Agencies Target Mobile Phones, App Stores to Implant Spyware

Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows. The case raises questions about whether government agencies, even covert ones, should carry some responsibility for informing citizens of weaknesses they’ve unearthed in devices, operating systems and online infrastructure. Taking advantage of weaknesses in apps like UC Browser “may make sense from a very narrow national security mindset, but it happened at the expense of the privacy and security of hundreds of millions of users worldwide,” says Deibert. “Of course, the security agencies don’t [disclose the information],” says Deibert. “Instead, they harbour the vulnerability. They essentially weaponize it.” For his part, Geist argues that there is an expectation that the federal government will protect Canadians. “We should be troubled by the notion of our spy agencies — and in a sense our government — actively looking for vulnerabilities or weaknesses in the software that millions of people are using,” said Geist. [Source] [How CSE’s existence was first revealed by CBC TV] [Your government is spying on you online. Here’s what you can do about it]

CA – Canada Failing at Tracking Terrorist Financing

But FINTRAC will also need new oversight, the experts said. If it is tracking every single electronic funds transfer made through Canadian financial institutions, there is a greater risk of privacy breaches, as well as of FINTRAC acting unlawfully or ineffectively. Privacy audits have already shown that, even at the $10,000 threshold, some transactions were inappropriately flagged based solely on race, country of origin or age. And there currently is no independent oversight mechanism to make sure FINTRAC is good value-for-money or that it acts within the law. [Source] [Solicitor Client Privilege in Tax Matters]

CA – Expansion of PIPEDA in Budget Bill Raises Constitutional Questions

The Canadian government’s omnibus budget implementation bill (Bill C-59) has attracted attention for its inclusion of copyright term extension for sound recordings and the retroactive changes to the Access to Information Act. Another legislative reform buried within the bill is a significant change to PIPEDA. The bill adds a new Schedule 4 to PIPEDA, which allows the government to specify organizations in the schedule to which PIPEDA applies. Bill C-59 immediately adds one organization: the World Anti-Doping Agency (WADA), which is based in Montreal. Leaving aside the obvious problem of burying privacy reforms in a budget bill (in fact, privacy, copyright, and access to information all within a single bill with little or no study of those reforms), the change is a potential target for a constitutional challenge. While there have even been some questions about relying on trade and commerce for PIPEDA, particularly after the Supreme Court of Canada decision involving a national securities regulator, there has never been any doubt that PIPEDA applies solely to commercial activities (Privacy Commissioner interpretation bulletin) as that is essential for the constitutional basis for the law. The problem with the Bill C-59 change is that it seeks to extend PIPEDA to non-commercial activities. While PIPEDA provides clear rules for organizations in the context of commercial activity, it does not currently apply to organizations such as the World Anti-Doping Agency, an international, independent organization headquartered in Montreal. [Source]

CA – Ottawa Announces Plan to Monitor Prescription Drug Abuse

Health Minister Rona Ambrose said the government will give the Canadian Institute for Health Information nearly $4.3-million over five years to develop a co-ordinated national monitoring and surveillance program. …Several provinces, including Ontario and Nova Scotia, have created prescription monitoring programs, which typically target individuals who visit multiple doctors or pharmacies to get more opioids. The funding will help CIHI work with provinces to enhance data collection and analysis and create a national report on surveillance. [Globe & Mail]

CA – Crowdsourced Plan Aims to Tackle “Privacy Deficit”

OpenMedia’s David Christopher writes about the organization’s “crowd-sourced pro-privacy action plan,” launched this week. Privacy Commissioner Daniel Therrien has “welcomed” the initiative, CBC News reports. Canada’s Privacy Plan: A Crowdsourced Agenda for Tackling Canada’s Privacy Deficit begins with an introduction suggesting the country’s “growing privacy deficit has alarming consequences for our everyday lives. We’re at a tipping point where we need to decide whether to continue evolving into a surveillance society, or whether to rein in the government’s spying apparatus before more lives are ruined by information disclosures.” The plan includes “common sense” tips for strengthening privacy. [HuffPost] [Canadians to Spy Agencies: Get a Warrant!]

CA – Toronto Police Body Cameras Raise Privacy Concerns

Executive Director Sukanya Pillay of the Canadian Civil Liberties Association says body cameras can be a “good thing for accountability,” but they raise a number of questions that need to be addressed as part of the pilot project. …Pillay said there must be strict controls on how footage is recorded, stored, flagged and accessed in order to protect citizens captured on film. “Strict protocols have to be in place in order for it to serve the function of accountability,” she said. [CTV] [Toronto police start year-long pilot project to test body cameras for officers] [Globe & Mail: Police Start Pilot to Test Body-Worn Cameras]

CA – Manitoba Court Interprets Common Law Tort of Intrusion Upon Seclusion

The Manitoba Court of Appeal has held that the tort of intrusion upon seclusion may allow family members, who have suffered as a result of a breach of a privacy of another family member, to advance a claim in their own right. …It is likely too early to know the significance of the Court’s decision in Grant, as the courts in Manitoba have not yet truly examined if the tort of intrusion upon seclusion can be expanded to give family members of a victim an ability to advance the tort. However, it will be interesting to see how other jurisdictions apply the ultimate ruling in Grant. [Source] See also: [MB: Province readying to unseal adoption records next month]

CA – Ontario Decision Suggests Corporation Can Sue for Breach of Privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial. [Source]

CA – IPC Publishes Privacy Impact Assessment (PIA) Guide

Ontario public sector institutions must meet high standards of care and trust whenever collecting, using and disclosing personal and other sensitive information. Any public institution considering new information technologies, systems, and program services which may affect privacy are strongly encouraged to complete a privacy impact assessment (PIA). A PIA is an organizational risk management tool and a process used to identify the effects of a given process or other activity upon an individual’s privacy. PIAs also serve to identify any risks to the institution. The IPC’s new guide, “Planning for Success“ provides institutions with step-by-step advice on how to carry out a PIA from beginning to end. The new guide will help institutions define scope, engage internal and external stakeholders, understand information flows, identify privacy solutions and prepare an effective PIA report. Beginning a PIA early in a project’s development provides a systematic basis for mitigating privacy risks at every step, and for documenting decisions for accountability and compliance purposes. [Source] [Guide]


US – Report: Americans Don’t Trust Gov’t, Business to Protect Privacy

A new report from the Pew Research Center reveals that Americans don’t trust the government or companies to protect their privacy. Conducted online in 2014 and early 2015, the survey found that nine in 10 adults value controlling their personal information, but half said they felt they had little or no control of their data. Approximately two-thirds said government surveillance limits are inadequate. More than three-fourths said they did not trust advertisers to protect their data, and two-thirds said they had no confidence social media sites, search engines or video sites would do so either. Additionally, more than half said they did not want to be monitored in public or in the workplace. [New York Times] Another finding from the survey: a majority (65 per cent) of Americans do not believe there are adequate limits on “what telephone and Internet data the government can collect” as part of anti-terrorism efforts vs just under a third (31%) who do believe there are appropriate limits on the kinds of data gathered for these programs. Pew notes that respondents who are more aware of government online surveillance programs are considerably more likely to believe adequate safeguards are not in place; 74% of those who have heard “a lot” about these programs say limits are not adequate vs 62% who have heard only “a little” about the monitoring programs. [TechCrunch: Another Pew Privacy Report Flags Huge Public Mistrust]

US – Poll: Update the USA PATRIOT Act

As the USA PATRIOT Act’s expiration nears, polls conducted by the ACLU indicate that more than 80% of Americans across party lines are “concerned” about the bill’s privacy implications, while 60% of respondents support “revising” the bill to reflect said concern, Newsweek reports. “The poll results tell us that in order to be more reflective of the public’s views on surveillance and the PATRIOT Act, members of Congress should more fully support reforms,” says the ACLU’s legislative counsel, Neema Singh Guliani. [Newsweek]

US – NBCUniversal to Use Comcast Data to Tailor Ads

Critics—and lawmakers—are wary of NBCUniversal’s announcement it will utilize data from customers’ Comcast DVR boxes to tailor TV advertisements. NBC is calling the initiative an “audience targeting platform,” and the corporation is excited about the possibilities. Comcast said it is “not sharing personally identifiable information about its customers, but simply providing a software tool that allows programmers, like NBCUniversal, to run certain queries,” the report states. The Electronic Frontier Foundation’s Lee Tien said, “I would ask them, ‘How are you technically implementing that?’ Exactly what data is generated in the process, and then how do you process that data in a way that it does not or cannot reveal the things that you say that you’re not trying to reveal?” [International Business Times]


US – NIST Putting Finishing Touches on Privacy Framework

The National Institute for Standards and Technology (NIST) is set to finalize an interagency report that will provide guidance for federal agencies on assessing and mitigating digital privacy risks. “Cybersecurity has come a long way in the last 10 years,” said NIST’s Sean Brooks, while “privacy has really lagged behind.” Brooks added that the framework aims to guide privacy initiatives from compliance to engineering and development staff “and even up to executive staff who are trying to deal with risks and make decisions about funding in order to mitigate those risks.” Transportation Department Chief Data Officer Dan Morgan said, “We can build all the beautiful digital services that we want, but if people don’t trust them, they’re not going to use them.” [Fierce Government IT]

US – IRS System Mined For Over 100,000 Taxpayer Records by Fraudsters

Apparently stolen data from other breaches was used to answer authentication questions. The Get Transcript application, a feature of the IRS’ site that allows taxpayers to download tax return and tax payment transaction data, was apparently targeted by financial fraudsters between February and mid-May. The service was shut down last week as the IRS investigated the activity, which may have been linked to the fraudulent filing of tax returns and transfer of tax refunds. Attempts were made to access over 200,000 accounts; roughly half failed because of incorrect information inputted during the IRS’ authentication process. [Source] [Hackers stole personal information from 104,000 taxpayers, IRS says]


CA – The Impact of Canadian Anti-Spam Legislation on Subscriber Rates

The hard truth? Without a doubt, marketers’ efforts to be CASL compliant hurt subscriber growth rates. …Unfortunately for marketers and consumers alike, spam is still a problem, even as subscriber growth is slowing down. Cloudmark’s most recent study was a real eye opener on the overall drop in Canadian spam and even legitimate email being sent. Sadly, we haven’t seen CASL truly protect Canadians as it was initially intended just yet, considering spam email to Canadians has stayed nearly consistent.

  • 37% reduction in spam originating in Canada, the majority of that going to the United States
  • 29% reduction in all email received by Canadians, spam and legitimate
  • -No significant change in the percentage of emails received by Canadians that were spam. [Source]

Electronic Records

US – EHealth Operators Waiting on Behavioral Health Guidance, Regulations

Providers, electronic health record developers and health-information exchange operators are “still waiting for new regulations or guidance on electronically handling highly sensitive behavioral health information.” The Substance Abuse and Mental Health Services Administration held a national listening session on possibly updating its rule protecting patients of federally funded drug and alcohol treatment centers, the report states. The rule is seen by some as a barrier to interoperability of healthcare information systems. But patient advocates say patient consent-the aspect that’s seen as a barrier to info-sharing-is an important aspect to the law. The listening session drew mixed comments on whether government should expand access to behavioral health information. [Modern Healthcare]


WW – Finding Solutions for Encrypted Data in the Cloud

University of Wisconsin Prof. Thomas Ristenpart describes the traditionally dicey enterprise of encrypting data in the cloud without breaking cloud applications, likening it to pounding square pegs into round holes. “Back in 2009,” he writes, he and other researchers “flipped the problem around.” He and his team created “format-preserving encryption” that can “solve the key usability issues of making it easy to specify a ‘peg size’.” Ristenpart adds, “It’s gratifying to see emerging security technologies bring these types of academic breakthroughs to the cloud security market.” [Full Story]

US – DHS Secretary Warns of Post-Snowden Encryption Market

U.S. Homeland Security Secretary Jeh Johnson said disclosures from Edward Snowden on the NSA’s bulk surveillance programs have “changed the landscape” for encryption services, Politico reports. “We are concerned that with deeper and deeper encryption, the demands of the marketplace for greater cybersecurity, deeper encryption in basic communications … It’s making it harder for the FBI and state and local law enforcement to track crime, to track potential terrorist activity,” he said, adding, “We’ve got to find a solution to this, and we’re thinking about this very actively right now.” His remarks come after the House of Representatives voted to formally end the NSA’s bulk telephony data collection. [MSNBC]

WW – HTTPS Vulnerability Affects 10% of World’s Top Websites

Tens of thousands of HTTPS-protected websites—8.4% of the world’s top one million sites—as well as mail servers and other Internet services are currently vulnerable to a newly discovered attack that allows adversaries to eavesdrop on communications and downgrade encryption levels. The vulnerability, called Logjam, resides in the transport layer security protocol used by mail servers and websites to encrypt connections with users, the report states, and is a result of export restrictions mandated by the U.S. government in the 1990s so agencies could break foreign users’ encryption. “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,” said one researcher. [Ars Technica]

AU – Teaching Encryption Could Soon to Be Illegal in Australia

Under the Defence Trade Control Act (DTCA), Australians could face up to ten years in prison for teaching encryption. Criminal charges will go into effect next year. The new legislation will make it illegal for Australians to teach or provide information on encryption without having a permit. [Source]

WW – Logjam Flaw HTTPS-Crippling Attack Threatens Web And Mail Servers

Tens of thousands of HTTPS domains contain a vulnerability in the transport layer security protocol that the sites use to establish encrypted communications with users. The Logjam vulnerability can be exploited to access and modify data traveling through encrypted connections. The problem can be traced to export restrictions the US government imposed twenty years ago. [ZDNet] [Wired] [DarkReading] [Ars Technica] [Weakdh]

WW – Visa Increasing Bank Reimbursements After Breaches

Visa has agreed to increase pay to banking institutions when they have to reissue cards in the wake of data breaches. Visa will reimburse on a tier system, with more help going to community institutions than the larger brands. The reimbursements will work on an annual card-purchase volume. There’s been an ongoing debate between merchants and banking institutions over who should be held accountable for card fraud. While banks say retailers should be held accountable for expenses related to breaches in which they hold some responsibility, retailers say the interchange fees they pay to card brands to route transactions are meant to cover breach-related expenses. [Bank Info Security]

US –Tech Giants Don’t Want Police Access to Encrypted Phone Data

Tech behemoths including Apple and Google and leading cryptologists are urging President Obama to reject any government proposal that alters the security of smartphones and other communications devices so that law enforcement can view decrypted data. In a letter to be sent Tuesday and obtained by The Washington Post, a coalition of tech firms, security experts and others appeal to the White House to protect privacy rights as it considers how to address law enforcement’s need to access data that is increasingly encrypted. “Strong encryption is the cornerstone of the modern information economy’s security,” said the letter, signed by more than 140 tech companies, prominent technologists and civil society groups. [Source] [Apple, Google and More Bring Privacy Fears to Obama]

EU Developments

EU – Draft Text: Fines for RTBF Violations Would Increase

EU ambassadors have agreed to a draft text proposed by Latvia—which currently holds the rotating presidency of the EU—that would implement three levels of fines for businesses that violate the EU’s data protection overhaul. The levels range from one-half percent to two percent of an organization’s annual global turnover. Failure to “erase personal data in violation of the right to erasure and ‘to be forgotten’” would be included in the second category of a one-percent fine. If all of the sections of the reform proposal are agreed upon, EU ministers could endorse the entire text at their mid-June meetings, the report states, and trialogue discussions between member state representatives and the European Parliament would commence. [EurActiv]

EU – EU, APEC to Streamline BCR/CBPR Process

Winning approval for both binding corporate rules (BCRs) and cross-border privacy rules (CBPRs) takes significant work. But to demonstrate compliance, many of the administrative hurdles are the same. That’s why, as companies increasingly turn to BCRs and CBPRs as data transfer mechanisms, an EU/APEC working group has approved a plan for increased interoperability by making it easier for companies to comply with both BCRs and CBPRs all at once. “The idea is that organizations will be able to submit the single questionnaire to both EU DPAs, whose approval is needed for organizations to be granted BCRs, and to APEC Accountability Agents, whose approval is needed to be granted CBPRs.” [Full Story]

EU – Member States Calling for Transparency from Internet Giants

Ahead of a European Council meeting on proposed cybersecurity rules, France, Germany and Spain are hijacking the debate in hopes of using the rules to “boost control and surveillance over Internet companies, claiming they are critical to their economies and communication networks.” The proposal requests that Internet firms offer “greater transparency” to the EU and that firms outside the EU “report security breaches to national regulators in each member state,” similar to the burden placed on European telecom companies. “Nevertheless,” the report states, “the proposed rules will likely add to the long list of disputes pitting European authorities against U.S. tech firms.” [Politico]

EU – Belgium, Facebook and the Single Data Controller

The Belgian Privacy Commission published the first part of its recommendation after investigating Facebook’s data processing activities. Much of it justifies why Facebook is subject to Belgian law, it also reveals some important insight on the regulatory interpretation of the EU Data Protection Directive’s applicable law principles and highlights the growing concern around “forum shopping.” Tim Van Canneyt outlines the applicable law tests and offers measures multinationals can take in their approach to compliance with EU law, noting, “While it … makes sense to create an EU subsidiary to fulfill a data-controller role, it is not sufficient to simply ‘nominate’ one on paper.” [Privacy Tracker] Facebook Global Deputy Chief Privacy Officer Stephen Deadman says the one-stop-shop mechanism in the proposed General Data Protection Regulation is “in danger” and speaks from experience of the likely consequences for the EU if the one-stop shop is rejected or seriously watered down. Phil Lee says the General Data Protection Regulation will not prevent forum shopping because “businesses don’t choose their homes based on data protection alone.”

EU – Ireland Is Now Officially Twitter’s Global Legal Center

Following up on an announcement last month, Twitter officially made Ireland its global legal center. The move affects all non-U.S. Twitter users, according to a statement on the move. “It’s possible that Twitter may be anticipating a change in Safe Harbor because of recent developments and the direction European authorities are taking,” said Daragh O’Brien, adding, “If so, it would help them to have a single defined office.” The Office of the Irish Data Protection Commissioner (DPC) said it won’t have a new mountain of work, however, a separate Irish Independent report states. DPC Helen Dixon said that “even though Twitter users up to last week were signed up under ‘Twitter Inc.,’ we would always have seen ourselves as responsible.” [Irish Independent]

EU – New Telecom Law Proposed

In Germany, telecommunications and Internet companies “could once again be forced to store customer traffic and location metadata for police investigation purposes, five years after a previous data retention law was declared unconstitutional.” Under a draft data retention law released Wednesday, providers would be required “to store call and Internet traffic metadata for a maximum of 10 weeks while location data would have to be stored for four weeks,” the report states, noting German’s government believes “it strikes the right balance between freedom and security in the digital world.” [PCWorld]

UK – Just 1% of Public Would go to Information Commissioner’s Office

Almost half of the population don’t know who to go to for advice on protecting their personal data online. When asked who they would go to for advice on protecting their data, only 1% named the ICO while almost half (45%) of the 1,222 respondents said they ‘don’t know’, a poll by ComRes found. 35% said they would ask the Citizens Advice Bureau, 15% said they would search online while 13% would ask a lawyer. [ComputerWorld]

EU – Belgian Watchdog Raps Facebook for Treating Personal Data ‘With Contempt’

Facebook is facing a wave of probes by European regulators into its privacy practices. The Belgian report, which was released Friday, is part of a broader effort by privacy regulators in several European countries to examine new privacy policies Facebook implemented this year for use of data from its services, which include Instagram and WhatsApp, to target advertising. The review is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany. Belgium’s Privacy Commission, in its 28-page report, said Facebook processes the personal data of its members as well as other Internet users “in secret,” without asking for consent or adequately explaining how the data would be used. [WSJ] [The Belgian Commission for the Protection of Privacy has released a lengthy “recommendation” that outlines its beliefs as to why it has competency to regulate Facebook.] [ECJ Ruling Could Invalidate Safe Harbor: Opinion] SEE ALSO [Belgian authorities have taken Skype to court because it refused to allow two suspects’ Skype calls to be tapped. Skype says it isn’t subject to wiretap legislation]

EU – Other News

Facts & Stats

WW – Salary Survey Released at Symposium

In conjunction with the IAPP Canada Privacy Symposium, the IAPP released the first regional breakout of its biennial Privacy Professionals Salary Survey. The report offers insight from about 200 Canadian privacy professionals on salary levels according to variables such as privacy experience, certifications, industry, size of organization, gender and more. The survey finds that the median salary for Canadian privacy professionals is $74,005, with the software and services industry topping the scales at $88,648. Also, take a look at data on recent raises and bonuses received and the differences in salaries related to position and acquiring a certification. [Full Story] See also: [Cost of data breaches increasing to average of $3.8 million, new Ponemon study says]


EU – Google, Max Mosley Reach Settlement on Censored Images

Google and Max Mosley, formerly of Formula One, have settled a long-running legal dispute involving compromising images of the well-known UK figure that were published in 2008. Mosley had urged Google to automatically remove links to the images, but the company had argued that it should remove such links on a case-by-case basis. In many ways, the Mosley case previewed the EU’s so-called right-to-be-forgotten phenomenon. Terms of the deal between Google and Mosley have not been disclosed, but according to the report, suits filed by Mosley in Germany, France and the UK have all been settled. [The Wall Street Journal]


US – States Settle With Credit Bureaus on Consumer Reports

31 states have reached a settlement with credit bureaus Equifax, Experian and TransUnion requiring them to alter the way they handle consumers’ financial and credit history data. Topping the list of changes, the firms must provide the participating states with the lender names and other businesses that consistently share erroneous data. If the states see a spike in consumer complaints regarding inaccurate information, the state attorneys general (AGs) may have the option to investigate. The settlement is similar to one reached between the credit bureaus and the New York AG. Ohio AG Mike DeWine said complaints have risen in the past year, adding, credit bureaus “have a flawed system that cannot effectively work. Changing (that) behavior was (a) No. 1 priority.” [The Wall Street Journal] [ABC News: 31-State Deal Should Make Credit Report Errors Easier to Fix]

CA – Terrorist Activity Financing Indicators Published

Canadian businesses and reporting entities such as financial institutions generally have little experience with terrorist financing and what to look out for to comply with Anti-Money Laundering requirements. As part of the federal government’s broader intelligence efforts to counter these threats, Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has worked with Canadian law enforcement and national security partners to update indicators of terrorist activity financing – often effected though money laundering. Available for the first time publically, FINTRAC’s updated list highlights actions which could indicate money laundering activities. It red flags transactions where there could be reasonable grounds to suspect a terrorist activity financing offence. Indicators linked to Terrorist Activity Financing

  1. Client accesses accounts, and/or uses debit or credit cards in high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and / or political instability or known to support terrorist activities and organizations.
  2. Client identified by media or law enforcement as having travelled, attempted / intended to travel to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
  3. Client conducted travel-related purchases (e.g. purchase of airline tickets, travel visa, passport, etc.) linked to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
  4. The client mentions that they will be travelling to, are currently in, or have returned from, a high risk jurisdiction (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
  5. Client depletes account(s) by way of cash withdrawal.
  6. Client or account activity indicates the sale of personal property / possessions.
  7. Individual/entity’s online presence supports violent extremism or radicalization.
  8. Client indicates planned cease date to account activity.
  9. Client utters threats of violence that could be of concern to national security / public safety.
  10. Sudden settlement of debt(s) or payments of debts by unrelated third party(ies).
  11. Law enforcement indicates to reporting entity the individual/entity may be relevant to a law enforcement and/or national security investigation.
  12. Client’s transactions involve individual(s) / entity(ies) identified by media or law enforcement as the subject of a terrorist financing or national security investigation.
  13. Client donates to a cause that is subject to derogatory publicly available information (crowdfunding initiative, charity, NPO, NGO, etc.).
  14. Client conducts uncharacteristic purchases (e.g. camping/outdoor equipment, weapons, ammonium nitrate, hydrogen peroxide, acetone, propane, etc.).
  15. A large number of email transfers between client and unrelated third party(ies).
  16. Client provides multiple variations of name, address, phone number or additional identifiers.
  17. The sudden conversion of financial assets to a virtual currency exchange or virtual currency intermediary that allows for increased anonymity.

For more information on reporting suspicious transaction reports to FINTRAC, click here to access the agency’s Suspicious Transactions guidelines. [Mondaq News]

CA – Bank Fails to Advise Credit Bureaus of Inaccurate Personal Information

It is important that all organizations and their employees be familiar with its privacy policies and implement them accordingly. Otherwise, the organization may be exposed to claims, such as in the case of Albayate v. Bank of Montreal, 2015 BCSC 69. In this case, the Bank changed Ms. Albayate’s mailing address in its computer system without her consent and authorization. As a result of this error, three envelopes containing Ms. Albayate’s Bank statements were sent to her ex-husband’s address (the evidence suggested that the letters were not opened by Mr. Albayate). The Bank also reported the inaccurate personal information to two credit bureaus, Equifax and TransUnion. When the Bank learned of its mistake, it promptly corrected the error on its computer system, but failed to advise the credit bureaus of this correction immediately as mandated by the Bank’s privacy policy. Although many of Ms. Albayate’s allegations were not accepted, she established her claim that the Bank breached her privacy rights under the Privacy Act, RSBC 1996, c 373 and the Bank breached its privacy policy, which formed part of the contract, with Ms. Albayate. [Mondaq]

WW – PCI: 5 New Security Requirements

New Task Force Created to Assist Smaller Merchants. Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements after June 30, and smaller merchants are likely to be the most affected. That’s because the new requirements relate to point-of-sale vulnerabilities that have commonly been linked to exploits at small and mid-sized businesses. The best practices, which were included when PCI-DSS version 3.0 was released in November 2013, state:

  1. Merchants should secure authentication and online session management, to help prevent the theft of online credentials;
  2. Third-party service providers with remote access to POS systems should use a unique passcode credential for each merchant customer;
  3. Service providers should confirm in writing that they are responsible for the security of cardholder data they store, process or transmit on behalf of the merchant;
  4. Merchants should regularly inspect POS devices to ensure they have not been “swapped” or tampered with to skim or collect card details;
  5. Merchants should conduct regular penetration testing through simulated device attack scenarios to exploit known and possible vulnerabilities.

The PCI Security Standards Council says merchants of all sizes are increasingly at risk, and that these requirements reflect areas all businesses should address.[Bank Information Security]

WW – Bitcoin Releases Privacy Rating Report

The Open Bitcoin Privacy Project (OBPP) has released what it’s calling the Spring 2015 Wallet Privacy Rating Report to assess the effectiveness of the top 10 most popular Bitcoin wallets in protecting users’ privacy. The wallets underwent 38 privacy tests that were grouped into five categories, and each test was assigned classifications in relation to usability, quality and feedback. Overall, Darkwallet ranked first among the major Bitcoin wallets and was the first to be “explicitly devoted to privacy as a primary design goal,” the report states. Armory ranked second, followed by Mycelium and Bitcoin Wallet. [CoinReport]

WW – Facts About FATCA, America’s Global Disclosure Law

FATCA requires foreign banks to reveal Americans with accounts over $50,000. Non-compliant institutions could be frozen out of U.S. markets, so everyone is complying. …More than 80 nations—including virtually all that matter—have agreed to the law. So far, over 77,000 foreign financial institutions (FFIs) have signed on too. Countries must throw their agreement behind the law or face dire repercussions. Even tax havens have joined up. The IRS has a searchable list of financial institutions. Countries on board are at FATCA – Archive. [Forbes] [NYT: An American Tax Nightmare] [Solicitor Client Privilege in Tax Matters]

CA – Thousands of CRA Employees Fell for Fake Phishing E-Mail Test

Over the first three months of this year, the agency’s security and internal-affairs division sent 16,000 employees an e-mail designed to replicate the potentially dangerous messages that are common to anyone with an e-mail account. …The result of the CRA’s test was that 78% of employees did not click on the link contained in phishing attempts. However, that means roughly 3,500 employees did fall for the scam, even though they were informed ahead of time that the test would take place. [Globe & Mail] See also: [What To Do When Your Nonprofit Becomes The Target Of A Phishing Scam]


CA – Yukon Gov’t Keeping Names, Salaries Private

The Yukon government is refusing to release names and specific salaries of public-sector workers that make more than $100,000. Currie Dixon, the minister responsible for the Yukon Public Service Commission, said in an announcement that doing so would violate the Yukon Access to Information and Protection of Privacy Act. The statement was made in response to a CBC inquiry related to a report on “sunshine lists” that noted, “Government is the top public-sector employer in Yukon, accounting for 40 % of the total jobs … It turns out a sunshine list is not a popular idea with either the territorial government or the union representing its employees.” [CBC] [Source]

US – Privacy Often Trumps Transparency With Police Shooting Videos

Across the country, law enforcement agencies are equipping police and patrol cars with cameras to capture interactions between officers and the public. But many of those police forces, like Gardena’s, do not release the recordings to the public, citing concerns about violating the privacy of officers and others shown in the recordings and the possibility of interfering with investigations. That approach has drawn criticism from some civil rights activists who say that the public release of recordings is crucial to holding police accountable — especially if the officers involved in the incidents are allowed to view the videos. [LA Times]

Health / Medical

US – House Committee Supports 21st Century Cures

In a move to hasten research “that could lead to the availability of promising medical treatments and devices,” the House Committee on Energy and Commence has voted unanimously in favor of the 21st Century Cures bill, which looks to remove the patient consent requirement for covered entities to use protected health information (PHI) for academic purposes. The move has raised concerns, however. “The patient control is being relaxed, yet it’s unclear to me where the data will go,” said the Center for Democracy & Technology’s Michelle de Moouy.

US – Bill Altering HIPAA Privacy Rule Advances Legislation

Legislation that requires significant changes to the HIPAA privacy regulations could result in “significant administrative hurdles and burdens,” Holtzman says. “For example, if there would be significant changes to when healthcare providers and health plans can use or disclose PHI, they would be required under existing regulations to update their notices of privacy practices,” he says. “As we saw with the implementation of the Omnibus Rule in 2013, there are significant costs in developing and distributing the notices.” If the legislation is approved, it could take some time for the privacy changes to affect healthcare providers and business associates. “If the bill is passed into law – always a big if – it provides HHS with a year to implement the law through regulations,” Greene notes. “Realistically, though, it may take far longer before HHS is able to publish a final rule.” [GovInfoSecurity]

WW – Health Organizations Cite Privacy as Top Concern

In the Office of the National Coordinator for Health IT’s recently published public comments on its draft for nationwide interoperability, health data privacy and security were top issues for several organizations. The office released Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Draft Version 1.0 in January, and in the public comments, accepted through April 3, many agencies said they were in favor of interoperability and data exchanges but that providers “must be interoperable without sacrificing patient privacy in the process,” the report states. Intel submitted that privacy and security protections must be addressed holistically through “effective end-to-end security” to protect against exploitations like cybercrime. [HealthITSecurity]

US – HIPAA Audits to Continue

Privacy This Week reports the second phase of the Department of Health and Human Services Office for Civil Rights Health Insurance Portability and Accountability Act audits “is on its way.” [GovInfo Security]

US – DHS: Lapses in USCG Privacy Protocol Need Attention

The Department of Homeland Security is requesting that the U.S. Coast Guard (USCG) establish consistent processes for workers’ healthcare record security after audits found the current systems-or lack thereof-troubling. “USCG is limiting its ability to assess risks and mitigate potential for privacy or HIPAA breaches,” says Sondra McCauley, assistant inspector general for IT audits. The crux of the problem, says Chief Information Security officer Ariel Silverstone, CIPT, is that “it appears that no one functionary, even at the assistant commandant level, is responsible for privacy.” Suggested improvements range from increasing communication between HIPPA representatives and the USCG privacy officer to establishing “milestones to ensure the Coast Guard has contingency plans to safeguard privacy in the event of a disaster or emergency.” [Gov Info Security] [10 tips for creating a cybersecurity program]

US – $19 Million Breach Settlement Terminated

A $19 million settlement between Target and MasterCard has been terminated. The deal was originally announced in April and would have provided compensation to banks and credit unions that sued over Target’s breach, but the settlement fell through because not enough banks accepted the deal. In their suit, lawyers argued that the deal with MasterCard “was an attempt to undercut their claims for damages,” the report states. Plaintiffs’ lawyers said, “We are pleased that financial institutions have resoundingly rejected Target and MasterCard’s attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history.” [Reuters]

CA – Privacy Commissioner Calls for Prosecution of Third Snooping Case

New figures show health privacy breaches are on the rise in Ontario as Brian Beamish recommends prosecuting another incident. This week, the privacy commissioner’s office released its 2014 annual report, showing that 439 health privacy breaches were reported last year, up from 407 the previous year.  But, because Ontario does not have a mandatory reporting requirement like that of most other jurisdictions in Canada, hospitals are not obliged to notify the commissioner of privacy breaches. That means those figures represent just the tip of the iceberg, Beamish has previously told the Star. [Source] See also: [The Star: Is enough being done to stop your health information from going public?]

CA – Ontario Privacy Commissioner Releases Annual Report

In his first annual report since becoming Commissioner, Brian Beamish expressed support for the adoption of new tools and offers assistance to Ontario institutions to ensure privacy protection and compliance with the law. In Charting a Course for the Future, the Commissioner examines the use of new technologies in programs being implemented across the province, such as electronic health records and body-worn cameras. He also recognizes the enormous possibilities and benefits of Open Government. The Commissioner offers three recommendations for the government to enhance the privacy of personal information and enable the public to access more government-held information. [Source]

US – Most Companies Take Over 6 Months to Detect Data Breaches

New research suggests the average financial or commercial business face multiple attacks per month — and it takes months for data breaches to be detected. According to a survey of 844 IT and IT security practitioners in the financial sector across the US and 14 countries within the EMEA region and 675 IT professionals in the same countries within the retail sector, both industries are struggling to cope with today’s threat landscape. Once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. [ZDNet] [Which States Have a Data Breach Notification Law?]

US – Study: Criminals Find Gold Mine in Easy-To-Access Healthcare Data

Criminals have set their sights on the information-rich healthcare sector, according to findings of the recently released Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. According to the FBI, criminals are targeting the healthcare sector because individuals’ personal information, credit information and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold. In fact, PHI records can fetch up to $60 to $70 each, as opposed to about $5 for credit cards. The Ponemon study found criminal attacks are up 125% in the last five years and the new leading cause of healthcare data breaches. This represents a major shift of data breach causes from accidental to intentional as criminals increasingly target and exploit healthcare data—particularly medical files and billing and insurance records. [Source]

US – Medical Center Rethinking Privacy Policies

After a University of Rochester Medical Center (URMC) nurse practitioner transferred to a new facility and took a list of URMC patients to her new employer without their consent, the center is reviewing its privacy policies. URMC CEO Mark Taubman acknowledges that the move was a breach of HIPAA and that reform is in order. “This is a wake-up call. This is a slap in the face saying, hey, there is a system problem here,” he said. “Sometimes you just don’t see these things until you get burned.” The nurse practitioner requested the list citing a desire to use the data as a way to “ensure continuity of care,” the report states. [The Democrat and Chronicle]

Horror Stories

US – Dating Site Hackers Expose Details of Millions of Users

Adult FriendFinder’s 3.9 million users’ sexual preferences and personal details were compromised after a hacker posted stolen data. Details of users’ sexual preferences – including whether they are gay or straight, and whether they are seeking extramarital affairs – has been compromised, along with email addresses, usernames, dates of birth, postcodes and the unique internet addresses of users’ computers. The dating site bills itself as a “thriving sex community” where users can share sensitive sexual information. [The Guardian] See also: [After Breach, Experts Question Security of Dating Sites] [San Bernardino: Thousands of people’s credit card info found on computers]

US – Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

mSpy, a company that sells software that people can use to spy on others, has admitted that attackers broke into its systems and stole data. mSpy had initially denied allegations that its systems were breached. The company says that the breach affects 80,000 customers, not the 400,000 reported in earlier stories. The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions. [Krebs] [BBC] [More Evidence of mSpy Apathy Over Breach]

US – CareFirst BlueCross BlueShield Breach

CareFirst BlueCross BlueShield has acknowledged that an attack on one of its databases compromised the personally identifiable information of 1.1 million customers. The attack resembles those perpetrated on Anthem and Premera. The affected data include names, birth dates, email addresses, and insurance identification numbers. [Krebs] [ComputerWorld] [DarkReading] See also: [City of Oshawa reports privacy breach after 1,000 rec user e-mail addresses released] In Newfoundland and Labrador, a mailing error has led to a breach, and a fax error sent patient lab results to a business owner rather than to doctors. In Alberta, Calgary police had notebooks stolen from an off-duty vehicle and are now “notifying up to 400 people that their privacy may have been breached.” The Star reports on concerns in Ontario that the regulator for Ontario nurses “does not automatically alert police or Ontario’s privacy commissioner when it becomes aware of cases where nurses may have snooped into patient files.” [Full Story]

Identity Issues

WW – Microsoft Unveils Lockbox-Style Technology;

Microsoft’s research arm has announced a new technology that aims to protect cloud workloads. Last year, Microsoft announced its lockbox approach to safeguarding cloud data, which puts the customers in complete control of their data and requires consent before even Microsoft administrators can access it. The newly revealed Verifiable Confidential Cloud Computing technology takes a similar approach. [eWeek]

WW – Dropbox Certifies Under ISO Standard

Dropbox has announced it has achieved certification for ISO 27018. “We saw an opportunity to lead in this space and demonstrate our commitment to user trust,” said Patrick Heim, head of trust and security at Dropbox. See also: [UK porn industry preps for mandatory ID checks]

AU – Metadata is Personal Information, Says Privacy Commissioner

The Privacy Commissioner decided that Grubb’s network data was personal information. Under the Privacy Act …First, Grubb’s network data provided information about Grubb, because the data could be linked with other data held by Telstra’s networks and records to establish what websites he had visited, which was information about Grubb. Second, the Commissioner decided that Grubb’s identity could be reasonably ascertained from network data. By itself, network data such as cell tower location information or IP addresses contained nothing about Grubb’s identity. [Mondaq]

Internet / WWW

WW – IoT-Connected Toy Patents Generate “Creepy” Tag

A newly published patent detailing plans by Google for Internet-connected toys has generated concerns. Such products would act as an “anthropomorphic device” in the form of a “doll or toy that resembles a human, an animal, a mythical creature or an inanimate object,” the patent states. One would be a teddy bear that could control Internet-of-Things devices within the home through voice command or gestures. A spokesperson for Big Brother Watch described “the creepiness of the product for families,” adding, “Children’s toys should enable children to play in private and not be watched. It’s important that privacy and security by design is taken into consideration and is not an afterthought particularly when dealing with children.” [CNBC]

WW – Letter to Zuckerberg Critiques

In an open letter to Facebook CEO Mark Zuckerberg, detractors of program that aims to be a free, basic Internet provider for third-world countries-cite concerns about privacy and basic ideology that contravenes net neutrality, among others. “It is our belief that Facebook is … building a walled garden in which the world’s poorest people will only be able to access a limited set of insecure websites and services,” they write. The letter comes on the heels of an early release of “We and our critics share a common vision of helping more people gain access to the broadest possible range of experiences and services on the internet,” an spokesperson said in response to the letter. [Mashable]

WW – Global Privacy Sweep Focusing on Children

The Global Privacy Enforcement Network plans to focus its 2015 international privacy sweep on the proliferation of websites and mobile applications targeted at children. The sweep involves 29 data protection authorities in 20 countries. “Children are more connected than ever before, and these platforms must bear that in mind when seeking potentially sensitive data such as name, location or e-mail address,” said Canadian Privacy Commissioner Daniel Therrien. “This is about protecting children. I can’t think of anything more important than that.” The sweep will assess whether the apps and websites examined collect personal information from children and the controls in place to limit that collection. [Source]

CA – Chartered Accountants Release Updated Privacy Toolkit

The Chartered Professional Accountants of Canada has published the second edition of The Canadian Privacy and Data Security Toolkit.

Law Enforcement

US – Advocacy Groups Release Law Enforcement Guidelines

A coalition of civil rights and privacy advocacy groups has released a set of guidelines urging lawmakers and law enforcement to curb the use of facial-recognition software and prohibit officers from viewing body-cam videos prior to filing their police reports. The groups also call for the video footage to be made publicly available and not under sole control of law enforcement. Meanwhile, [CNN]  See also: [Richmond Hill family traumatized by police raid on their home after falling victim to ‘swatting’ prank]

CA – Police Background Checks No Longer Include Mental Health Incidents

In a step forward for mental health rights, the Toronto Police Service will no longer release records of non-criminal mental health encounters with police — including suicide attempts or other psychological crises — to employers and community groups requesting background checks on potential employees or volunteers. Effective this week, the Toronto police force joins law enforcement agencies across Ontario and Canada halting a practice that civil rights and mental health groups have long been decrying as discrimination affecting a growing number of Canadians. Rights organizations including the Canadian Civil Liberties Association, the Ontario Human Rights Commission and the Information and Privacy Commissioner of Ontario have increasingly been sounding the alarm that Canadians with a history of mental illness — or even a single mental health episode that provoked a police response — have lost employment and volunteer opportunities due to the release of non-conviction mental health records. In a May 20 memo sent to community organizations working with children or vulnerable people, Toronto police announced that effective this week, groups making background checks under the “Vulnerable Sector Screening Program” will no longer receive information about mental health-related contact with police. Prior to the change, Toronto police released mental-health information when asked for it by groups hiring for positions ranging from teaching to coaching to volunteering and more. [The Toronto Star]

US – Obama Calls for Restricting Military Gear to Local Police

In effort to improve relations between police and communities, White House has announced new standards for federal programs in the aftermath of the Ferguson protests. Mr. Obama said police use of such equipment can send the wrong message by intimidating and alienating local residents. [WSJ]

US – Even the FBI Has Concerns About License Plate Readers

Newly released documents obtained by the ACLU indicate a debate within the FBI over the legality of collecting license plate data. A heavily redacted e-mail written by a senior vice president at Elsag North America, a major producer of the devices, indicates that the Office of General Counsel—or OGC, an internal legal advisory division within the FBI—”is still wrestling with [license plate recognition] privacy issues.” The executive notes that the FBI at that time had “stopped [the bureau’s] purchase” of the cameras “based on advice from the OGC.” [Bloomberg] Wired reports that the FBI’s Office of General Counsel has raised concerns, internally, about the agency’s use of automatic license plate readers (ALPRs). The ACLU’s Speech, Privacy and Technology Project, notes in a blog post that ALPRs “are a sophisticated way of tracking drivers’ locations, and when their data is aggregated over time, they can paint detailed pictures of people’s lives.” [Questions Remain About How To Use Data From License Plate Scanners] [License-Plate Scanners On the Rise]


US – Package-Tracking Leads to a Dealer’s Home Address

A federal drug case that “has shed new light on how the USPS law enforcement unit uses something as simple as IP logs on the postal tracking website to investigate crimes.” In the Massachusetts case, which is ongoing, a suspected drug dealer “was found out simply by the digital trail he left on the USPS’ Track n’ Confirm website,” the report states, citing a court affidavit. The USPS’s Stephen Dowd wrote, “The USPS database reflected that an individual using a computer or other device with IP address accessed the USPS Track ‘n Confirm website to track the progress of both the Florida Parcel and Bates Parcel #1.” [Ars Technica]


AU – Australian Government Quietly Expands Access to Retained Data

The Department of Immigration and Border Protection has been granted the power to access the telecommunications data of all Australians after the government quietly amended legislation it passed just two months ago. Under the mandatory data-retention legislation, only a select number of government agencies can access the stored call records, assigned IP addresses, location information, and other telecommunications data for the purposes of investigating breaches of the law. When the Australian Labor Party announced that it would side with the government and pass mandatory data-retention legislation in March, the support came with a number of amendments to the legislation, designed to increase oversight and improve accountability over government access to the stored data. One of the accountability measures was to require the parliament to approve the addition of any new agencies to be allowed access to the stored data. The original legislation only required the attorney-general to add the agencies through regulation. Less than two months after the passage of the Bill, however, another agency has been quietly added to the list: Immigration and Border Protection. The amendment came in the Customs and Other Legislation Amendment (Australian Border Force) Bill 2015,passed by the Australian parliament as part of the overall Australian Border Force legislation to create a “single front-line operational border control and enforcement entity” in the department. The amendment was slammed by Greens communications spokesperson Scott Ludlam, who stated that it would be used by the agency to track down leaks of information from Australia’s offshore detention centres to journalists. “This is the first instance of scope creep. It gives me absolutely no pleasure to say ‘we told you so’, but we did; we said at the time of the data-retention debate that the Bill has scope creep written into it.” Ludlam said that the Bill side-stepped the approval of the Parliamentary Joint Committee of Intelligence and Security to get added to the list of approved agencies. [Source]

WW – Free Tool Reveals Mobile Apps Sending Unencrypted Data

A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected. The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data. The reaction to that study prompted the group to create an application where people could test for themselves which applications don’t encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG’s director. There are many security tools that can collect wireless data traffic, but they’re usually designed for people with some technical background. Datapp is essentially a traffic “sniffer,” along the lines of network traffic analysis tool Wireshark, but much simpler. [Source]

Online Privacy

US – FTC: “Enhancing Permissions Through Contextual Integrity”

In a new blog post, the FTC Division of Privacy and Identity Protection’s Nithan Sannappa writes that “improving the usability and efficacy of permission systems remain important challenges to address.” Sannappa examines how “mobile operating systems can help users make informed decisions regarding access requests and minimize information flows that defy user expectations.” [blog]

US – FTC Launches Workshop Paper on the Sharing Economy

The FTC has unveiled the agenda for next month’s workshop on The Sharing Economy: Issues Facing Platforms, Participants and Regulators , which will include panels focusing on market design and structure, trust mechanisms and the interplay between competition, consumer protection and regulation for both industry and policy. In other FTC news, Commissioner Joshua Wright expressed harsh words for the agency during a speech, saying recent Internet-of-Things and data-broker reports chose a more “anecdotal approach” over an “evidence-based” one.

WW – Parents Upload 973 Child Photos on Social Media by Age 5: Study

According to the research, carried out by online safety site The Parent Zone on behalf of safety campaign knowthenet, on average 973 photos are posted online by parents before their children turn five, despite 17% of parents admitting they had never checked their Facebook privacy settings. The research also claimed that almost half (46%) had only checked their settings once or twice, despite Facebook being the most common platform for photo-sharing. The campaign claims parents are running the risk of over-sharing and creating a digital footprint their child has no control over. The knowthenet campaign is being run by internet registry site Nominet, whose chief executive Russell Haworth said: ‘We all love to share those precious moments in our children’s lives with friends and family and sites like Facebook have made it easier than ever. [Daily Mail]

WW – Mozilla Moves to Browsing-Based Ad Tiles

Mozilla has launched a new program that aims to combine advertisements based on users’ browsing histories while also protecting their privacy. The “Suggested Tiles” program will allow an advertising service to see browsing histories to figure out users’ interests by comparing them to sets of URLs that align with certain categories. “With Suggested Tiles, we want to show the world that it is possible to do relevant advertising and content recommendations while still respecting users’ privacy and giving them control over their data,” said Mozilla VP of Content Services Darren Herman . The company also said it will not build user profiles and will not use cookies or other tracking tools. [TechCrunch]

WW – Browser’s Beta Version Features Increased Privacy

Following the release of its experimental browser last year, Russia’s Yandex has added a suite of new privacy-centric features. The company has switched the software from an alpha to a beta version and has made it the default for international users. In Russia, the browser will remain the experimental alternative to its older browser, but in international markets, users will have the option of private browsing-in part so the company can compete with Google, according to a Yandex spokesperson. Following the alpha release, increased privacy was one of the most requested improvements from users, especially those in Germany, Canada and the U.S. [TechCrunch] See also [Texas: High School Forces Student to Remove Online Photos Under Threat of Suspension] and [Photographer Snaps 100K Pictures in Front of One Shop]

WW – Google’s Internet-Connected Toys Patent Sparks Privacy Concerns

Google’s recently published patent for Internet-connected toys, which have microphones, cameras, speakers and motors, have sparked privacy concerns; the ‘creepy’ anthropomorphic devices might look like a doll or teddy bear, but some people believe it belongs ‘in a horror film’ and have visions of an IoT-version of Chucky. According to a recently published paper: “Treading Beyond the Iota of Fear: eDiscovery of the Internet of Things,” Google didn’t buy Nest “because the smartphone controlled thermostat was cool;” the company knows a great deal “about its users from scanning Gmail accounts and now it will know when individuals are statistically likely to leave their house.” And “by connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?” That paper talks about the legal eDiscovery aspects of the Internet of Things, looking forward at a time when your IoT devices and their data can be used against you in court. [ComputerWorld] [WW – How Google Now Avoids “Creepy,” Apple Aims To Compete]

Other Jurisdictions

SK – South Korea Mandates Spyware on Teens’ Phones

Korea Communications Commission, which has sweeping powers covering the telecommunications industry, passed a law mandating spyware on the mobile phones of anybody under the age of 18. Unlike countries with similar laws, such as Japan, parents can’t opt out, regardless of any (well-founded) privacy concerns. Not only is there no opt-out, but the law actually stipulates that mobile phone providers nag parents on a monthly basis until they comply. [NakedSecurity] [Prying parental eyes: Phone monitoring apps flourish in S. Korea, new rule orders installation]

WW – Other News

Privacy (US)

Markey Wants Info on Law Enforcement Data Requests

Sen. Edward Markey (D-MA) has sent letters to the seven major wireless carriers in the U.S., seeking information on the number of law enforcement requests each received in 2013 and 2014, according to a press release. Additionally, Markey wants to know what type of user data law enforcement has been requesting. “America is in the middle of an historic national debate about the legal, constitutional and privacy implications of the mass collection of our telephone information,” he said, adding, “As mobile phones have become 21st-century wallets, personal assistants and navigation devices—tracking each click we make and step we take—we need to know what information is being shared with law enforcement.” [Full Story]

US – Inspector General: DoJ, FBI Took 7 Years to Adopt Privacy Rules

A report from the Department of Justice (DoJ) Office of the Inspector General has revealed that for seven years, the DoJ and the FBI “failed to implement a provision requiring it to create privacy rules for use of an intelligence-gathering tool authorized by the USA PATRIOT Act.” Instead of adopting “minimization” procedures to protect privacy, the DoJ “adopted interim rules,” which the inspector general said “failed to provide FBI agents with specific guidance” on how long to keep “non-public” information about Americans. [WashPost]

US – UC Santa Cruz Announces Plans for Research Center

Lise Getoor, UC Santa Cruz’s Baskin School of Engineering’s associate dean of research, unveiled her plans for Data, Discovery and Decisions, a “data-driven discovery and decision-making” center for research that will also function as a “forum for researchers in the industry,” the university has announced. “The focus will be on the iterative process of going from data to discovery to decisions, which produces additional data that can be fed back into the process,” Getoor said. “We plan to focus especially on structured and heterogeneous data, such as the data generated by the Internet of Things, or any setting where you want to integrate disparate data from a variety of different sources,” she continued. [Full Story]

US – FTC: Companies That Self-Report Looked on More Favorably

The FTC advised companies in a blog post Wednesday that it looks positively on cooperation when conducting investigations into data security breaches. A company that reported a breach on its own and cooperated with law enforcement would be looked on “more favorably” than one that had not, the agency said. “In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, assistant director for privacy and identity protection. The post described what companies can expect when the FTC comes to investigate. [The Hill]

US – Settlement Reached: RadioShack Must Destroy Customer Data

A “coalition of 38 states” prevailed in ensuring that the newly bought-out RadioShack will not sell the greater part of its collection of customer data—including credit card information, Social Security numbers and phone numbers—but by mandate must destroy it. Texas Attorney General Ken Paxton was pleased with the ruling. “This settlement is a victory for consumer privacy nationwide,” he said. “The fact that 38 states joined together in this case reflects a growing understanding of the importance of safeguarding customer information, and we are pleased that General Wireless (the corporation that bought RadioShack) will continue to be bound by RadioShack’s existing privacy policy.” [Your Houston News] [Texas: Paxton announces agreement to protect consumer privacy in Radio Shack case] [Settlement Agreement] [Computerworld: FTC Weighs In on RadioShack Sale]

US – For Bankrupt Companies, Selling Customer Data Is Lucrative —and Risky

The FTC deems bankruptcy an exception to its prohibition on the selling of data, making said information a potential source of revenue—and liability—for dying companies. The idea is to balance a consumer’s privacy rights with the best interests of a debtor’s estate and its creditors in a bankruptcy proceeding, the report states, citing comments by the FTC’s Jamie Hine. Referencing comments by MIT’s Barbara Wixon, the report points out, “CIOs must remember their legal responsibility to keep privacy promises even while carrying out their responsibility to the business to maximize the value of corporate data.” [The Wall Street Journal]

US – Yahoo Loses Bid to Block Class-Action Suit

Yahoo has lost a bid to block a lawsuit filed on behalf of millions of Internet users that alleges wiretapping violations in the company’s scanning of email. U.S. District Judge Lucy Koh has granted class-action status to nonsubscribers of the email service “who claim the company mines data from their messaging for advertising purposes,” the report states. Last year, Koh refused to let a similar complaint against Google advance as a class-action. In the Yahoo case, Koh said the plaintiffs established a “real and immediate threat of repeated injury.” Yahoo has not commented on the ruling. [BloombergBusiness]

US – Uber Ups the Privacy Ante with New Hires

Sabrina Ross, formerly of Apple, is joining Uber’s privacy team in the midst of the company’s initiative to improve its privacy processes. “At Uber, she’ll specifically work on privacy aspects of regulatory and policy issues. She’ll also be reviewing the privacy practices of Uber’s partnerships with companies like Spotify, Starwood and American Express’” Ross will be joining the likes of Chief Security Officer Joe Sullivan and Managing Counsel Katherine Tassi, who previously served as Facebook’s head of data protection. The focus on privacy has, according to an Uber report, resulted in improvements. “Uber has dedicated significantly more resources to privacy than we have observed of other companies of its age, sector and size,” the review said. [Re/Code]

US – NAI Releases New Privacy Guidelines for Ad Technology

The Network Advertising Initiative (NAI) has released new guidelines for member companies that use non-cookie tracking technologies such as digital fingerprinting. Additionally, the NAI says members must also instruct their publishing partners—such as operators of websites where data is collected—to notify users about non-cookie tracking technology, the report states, and the NAI is currently developing an opt-out mechanism that will not rely on setting third-party cookies. Meanwhile, Adblock Plus has launched a browser for Android mobile devices, and a column for ZDNet defends the use of so-called ad-blocking technology. [MediaPost] Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities, amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. …The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance. [Source]

US – Tech Companies Urge Obama to Protect User Data

Major tech companies including Apple and Google and leading cryptologists are urging President Barack Obama to reject any government proposal that alters the security of smartphones and other communications devices so law enforcement can view decrypted data. A coalition of more than 140 tech companies, technologists and civil society groups sent a letter Tuesday to the White House asking it protect privacy as it considers law enforcement’s need to access data that is increasingly encrypted, the report states. “Strong encryption is the cornerstone of the modern information economy’s security,” the letter said. Law enforcement, meanwhile, has been warning about threats to public safety if they can’t access data. [WashPost]

US – FTC Settlement Highlights Risks of Publicizing Company Privacy Policies

Although Nomi Technologies, Inc. (“Nomi”) does not provide services to consumers, the majority reasoned that the Commission properly exercised its power to regulate deceptive acts or practices under Section 5 of the FTC Act (“Section 5”) because certain representations in Nomi’s consumer-facing online privacy policy—which Nomi was not required to post in the first place—allegedly turned out to be inaccurate. The decision thus serves as a stark warning to mobile and other companies as they contemplate whether and how to craft privacy policies that are available to the public. [JD Supra] [FTC Acts Less Like Chief Regulator, More Like Editor-In-Chief]

US – Supreme Court Overturns Ban on James Rhodes Autobiography

The judgment is the final step in a legal battle begun by Rhodes’ ex-wife, who applied for an injunction on the grounds that Rhodes’ graphic accounts of sexual abuse he had suffered as a child would cause psychological harm to his son, who has been diagnosed with Asperger’s syndrome, attention deficit hyperactivity order, dyspraxia and dysgraphia. …Rhodes’ lawyer, Tamsin Allen of London firm Bindmans, said: ‘In overturning the injunction, the Supreme Court has reaffirmed the fundamental importance of the freedom to speak the truth, even if the truth is brutal or shocking. …Robin Shaw, media law specialist at professional services firm Gordon Dadds, said: ‘If the court had prevented the book’s publication, the decision would have been regarded as a huge interference in the right to publish material about oneself and an extension of privacy laws by the back door.’ [Law Gazette]

US – Brookman to FTC: Let Us Decide If We’re Harmed

“Privacy law in the U.S. is weaker than in most places,” writes the Center for Democracy & Technology’s Justin Brookman, adding, “but hey, at least we’ve got Section 5.” Though it’s based on a law now 100 years old, he notes, it also acts as a baseline, of sorts, preventing consumer deception. “Recently, however,” Brookman writes, “even this weak standard has been called into question-by two sitting commissioners of the FTC, no less. Commissioners Maureen Ohlhausen and Joshua Wright have both indicated that the FTC shouldn’t bring deceptive practices cases against companies absent some objective assessment of consumer harm.” Brookman examines this recent development and describes why such an argument is “an extremely dangerous idea.” [Privacy Perspectives]

Privacy Enhancing Technologies (PETs)

WW – Software Firm Introduces Next Generation VoIP Solution

Ring is the next generation of the SFLphone project produced by Canadian-based open-source software firm Savoir-faire Linux aimed at giving users a secure VoIP solution. “Ring uses OpenDHT to connect users instead of a centralized SIP server system such as Asterisk,” the report states, which allows Ring “to bypass the server-client methodology by passing along user information to each other.” There’s a growing need for secure communications and “existing solutions are not secure,” the report states, noting services such as Skype and its competitor WhatsApp received poor scores in the Electronic Frontier Foundation’s Secure Messaging Scorecard. [TechRepublic]

WW – How One Social Network Built In Privacy by Design

In a product review, Think Privacy CEO Alexander Hanff discusses a new social networking site called the Krowd and how it has embraced and built in the principles of Privacy by Design to its services. Distinct from other social sites, Hanff explains, the Krowd runs on local networks where users can create various personas depending on the context of a given social situation. “You can define the Krowd as a dynamic, app-based social network limited to a specific location such as a conference, baseball game or university campus,” Hanff writes. In this post, Hanff describes how this new service works and the potential it could have for users seeking social connection with control. [Privacy Tech]

Remote Identification

WW – App Store Allows Third Parties to Access Driving Data

Automatic is opening an app store so its Bluetooth-enabled car adapter can interact with third parties. The car adapter and accompanying smartphone app allow users to track trips and fuel consumption or locate their parking spots. Now, the Automatic App Gallery will work with Android and iOS, aiming to encourage new apps. “We founded Automatic because we feel that cars weren’t and still aren’t living up to their full potential,” said Automatic Cofounder and CEO Thejo Kote. “They’re basically computers on wheels. They could be doing so much more.” Automatic’s platform uses encrypted and read-only data. [Engadget] see also: [iPhone users’ privacy at risk due to leaky Bluetooth technology]


US – Medical Device Security Guidance for Developers

A paper titled “Building Code for Medical Device Software Security” offers guidance for developers. The purpose of the document “is not to assure that future medical devices can resist every imaginable attack, but rather to establish a consensus among experts … on a reasonable model code for the industry to apply.” [SC Magazine] [CyberSecurity]

WW – Password Security Questions Easy to Guess: Study

Google’s analysis of hundreds of millions of password security questions found that it would be easy for people intent on gaining access to someone’s account to do so. Guesses yielded correct results a surprising amount of the time. Google says that instead of adding more questions, but to update account information to provide a phone number or secondary email address to help prevent accounts from being taken over. [ABC] [GoogleUserContent] [How loving pizza is compromising your online security]

US – FBI: Data Breaches Up 400%; Workforce Needs to be “Doubled or Tripled”

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor also said the cybersecurity industry needs to “double or triple” its workforce in order to keep up with hacking threats. [The Hill] See also: [UK: Manchester car park lock hack leads to horn-blare hoo-ha]

US – RIMS Supports ‘Unified Standard’ for Cyber Privacy Breach Notification

As Canadian politicians debate a proposed privacy breach notification law, Risk and Insurance Management Society Inc. suggested it supports a “unified standard” south of the border, of rules mandating notification whenever a data security breach results in an unauthorized release of private personal information. “There are currently 47 different state data breach notification laws in place,” RIMS stated in a press release Tuesday of breach notification rules in the United States. “This has proven onerous for commercial insurance buyers whose organizations operate in multiple states and must comply with several different laws whenever a cyber-breach is experienced.” [Canadian Underwriter]

US – Cyber Security a Growing Concern for Financial Services Companies

Close to 50% of US financial institutions rank cyber security as their number one concern, according to a survey from the Depository Trust & Clearing Corporation (DTCC), topping geo-political risks and new regulations. The DTCC’s Systemic Risk Barometer Study compiled responses from 250 financial market participants. In last year’s report, just 24% of respondents ranked cyber security as their top concern. [SC Magazine] [Most Web sites have serious vulnerabilities, says report]

WW – System Aims to Produce Fake Passwords in Hacked Databases

Researchers have created a data protection system that would make it more difficult for hackers to obtain passwords from leaked databases. In a research paper submitted for consideration at the 2015 Annual Computer Security Applications Conference, the team of researchers unveiled ErsatzPasswords, which misleads hackers using brute force attacks to unlock hashed passwords. Purdue University’s Mohammed Almeshelkah said adversaries “will still be able to crack that file; however, the passwords they will get back are fake passwords or decoy passwords.” ErsatzPasswords adds an additional step to passwords when they are encrypted, making it impossible to restore them to the original plain-text form. [CIO]

US – Thieves Steal Funds Through Starbucks Mobile App

Thieves are exploiting a weakness in Starbucks’ mobile app to steal money from users’ bank accounts. The app can be used to pay at the coffee stores’ checkouts with smartphones and can also be set up to draw money from payment accounts to reload gift cards. The attackers have reportedly been breaking into Starbucks accounts to transfer money from bank accounts using the app’s auto-reload function. Thieves need only the username and password to access the accounts. Starbucks says their system has not been breached, but that the attacks are the result of breaches of access credentials elsewhere and affect people who reuse that information on multiple sites. Consumer advocate Bob Sullivan urges users to disable the auto-reload function. [BobSullivan] [SiliconRepublic] [SC Mag] [Krebs]

Smart Cards

US – More FERPA Amendments Proposed; Two New State Laws In Effect

While conversations continue around the Kline-Scott discussion draft to amend the Family Educational Rights and Privacy Act (FERPA), Sen. David Vitter (R-LA) has introduced a new FERPA amendment, and Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) have reintroduced a 2014 amendment. The Data Quality Campaign (DQC) provides this update on student privacy legislation in the U.S., noting that the Vitter bill “is alarmist in its approach to data and privacy and all but guts state Statewide Longitudinal Data Systems.” Also, get more information on the 178 bills DQC is tracking and two new state laws in Georgia and Maryland. [Privacy Tracker]


US – Gov’t to Vote on NSA Reform; EU Moves Toward More Spying

Sen. Mitch McConnell (R-KY) said he’ll allow a vote on an overhaul of U.S. surveillance programs, meaning the Senate is expected to vote this week on the USA FREEDOM Act, which gives the NSA six months to change its bulk-record collection methods. But, in The Christian Science Monitor, Rachel Brand of the Privacy and Civil Liberties Oversight Board shares concerns over losing Section 215, calling it “an essential investigative tool.” Separately, Bryan Cunningham writes for Politico about the trend toward new spying powers in the EU while the U.S. scales back. And Edward Snowden is the focus of a cover story in The New York Times as disagreements continue over the NSA documents he leaked. “The rest of the documents have been used as a kind of intelligence porn for the rest of the world-’Oooh, look at what NSA is doing,’” former NSA General Counsel Stewart Baker said. [The HIll]

US – Obama and Rand Paul Face Off Over the Patriot Act, Surveillance

Obama called on the Senate to approve a House-passed bill that would change the phone record collection program while renewing less controversial Patriot Act provisions that also expire at the end of the month. The Senate rejected the House bill by three votes last weekend and is on a break until Sunday, just hours before the spying powers are scheduled to expire. …Paul said the House bill supported by Obama, under which the records would be kept by the phone companies instead of the government, doesn’t go far enough to stop the NSA from getting the data. He argued that Obama should be shutting down the bulk collection of phone records. [Source] [NYTimes]

US – Franken Wants Law to Ban Tracking Apps

After hackers posted tracking app mSpy’s “sensitive data”—including text messages and “payment information”—online, Sen. Al Franken (D-MN) is once again urging Congress to pass legislation against such apps. “I believe every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information—including location data—is being shared,” Franken wrote. “Such apps not only operate in clear violation of fundamental privacy principles, but the serious danger they pose is well-documented.” The report notes mSpy itself has not yet confirmed the breach. [The Hill]

US – Pranksters Record Conversations to Spoof NSA Spying

Calling it a “pilot program” for the NSA, a group of provocateurs hid tape recorders under tables and benches around New York City to record random conversations and then published them on their website, A message on the website states, “Eavesdropping on the population has revealed many saying, ‘I’m not doing anything wrong so who cares if the NSA tracks what I say and do?’ … We’ve started with NYC as a pilot program but hope to roll the initiative out all across The Homeland.” Those whose conversations were recorded had no knowledge they were being surveilled, the report states. [Wired]

US – Police Chiefs Group Offers Drone-Use Policy

Model law enforcement drone guidelines: No weapons, limit deployment, keep them in operator’s sight: Police agencies across the nation are increasingly using drones to improve public safety, but need clear operations policies and limits to win public trust, experts said at a law enforcement conference in San Diego. To that end, a model policy on use of drones – or “small unmanned aircraft systems” – was rolled out by the International Association of Chiefs of Police. The policy, which could be adopted or revised by any law agency, sets out specific procedures for deploying a drone, lists restrictions on its use, details how data would be retained or deleted and how operators should be trained. The International Association of Chiefs of Police set out drone-use guidelines for law agencies in 2012 and a committee spent the next three years developing the model policy. Among the rules:

  • Drone deployment must be authorized by an executive officer or supervisor.
  • Deployments would be to assess the scope of an incident, assist search and rescue, give aerial views for crowd control or temporary perimeter control, to document a crime or accident scene or assist tactical squads.
  • Drones would be used only by trained operators within line-of-sight of the device and other FAA rules.
  • Flights times, locations, missions and operators should be fully documented.
  • Drones should not be equipped with weapons.
  • Data should be downloaded securely and not erased or duplicated without written approval.
  • Agencies should consider notifying the public when the drone is being used. [Source]

US – Drones Boom Raises New Question: Who Owns Your Airspace?

17 states have passed laws to restrict use of craft, but where does private property begin? Many attorneys have cited that 1946 case as a looming dilemma for regulators and the drone industry. They say it poses tough legal questions, such as where does “navigable airspace” begin and the control of property owners end? “We weren’t forced to answer these questions and we absolutely will be now,” said John Villasenor, a public-policy professor at the University of California, Los Angeles. “And I’m quite sure that we collectively don’t have the answers yet.” [WSJ] See also: [The New Jersey Assembly has passed a bill requiring police, in most cases, to get warrants prior to using drones] [The Nevada Senate has passed AB239, which would create regulations for drone use in the state. The bill passed unanimously in the Assembly last month] [South Africa has a new law regulating the use of drones that includes requiring operators to have licenses and prohibiting them from flying drones within 50 meters of crowds] [The South African Civil Aviation Authority plans to introduce new regulations to govern drones; however, Claudia Eisenburg of Norton Rose Fulbright’s Johannesburg office says some of the requirements conflict with potential business applications] and [Here’s a security drone that follows you around (and takes video)] and [UK Criminals Use Drones To Case Burglary Prospects]

Telecom / TV

US – FCC Policy: Broadband Providers Must Adhere to Stricter Privacy Rules

The US Federal Communications Commission (FCC) is notifying Internet providers to let them know that they are now subject to stringent privacy regulations. These regulations are attributed to the FCC’s net neutrality rules. Broadband providers are subject to the same rules that protect landline phone service customer data. The providers cannot share customer information with other entities without express permission from the customer. [WashPost] [Factory reset memory wipe FAILS in 500 MEELLION Android [phones]] and [Liquor bottles now can talk to your cellphone]

US – FBI: We do Not Prevent Law Enforcement from Disclosing StingRay Use

The FBI has issued a statement regarding US law enforcement use of cell-site simulators, known colloquially as StingRay, the brand name of a particular device. Several recent lawsuits revealed that the FBI has a non-disclosure agreement with local law enforcement agencies and that in at least one case, local law enforcement was urged to drop a case rather than divulge details about the technology’s use. The recent statement from the FBI says that local law enforcement are not prevented from disclosing its use of StingRays, but that “the FBI’s concern is with protecting the law enforcement sensitive details regarding the tradecraft and capabilities of the device.” [ArsTechnica] [WashPost] [DocumentCloud]

CA – Rampant Telecom Surveillance Conducted With Little Transparency, Oversight

Citizen Lab study finds Canadian governments, telecoms lag other countries when it comes to transparency about surveillance. The report also criticizes the government’s “irresponsibility surrounding accountability” with respect to telecommunications surveillance. It warns that that could endanger the development of Canada’s digital economy and breed cynicism among citizens.  “Access to our private communications is incredibly sensitive,” said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, which conducts research on information technology in the context of human rights and global security.  The report, funded by the Canadian Internet Registration Authority, showed Canadians recognize this and are very concerned.  But despite that, evidence suggests governments and law enforcement have been demanding millions of subscriber records from telecom firms in recent years. [CBC]

US – Broadband Industry Baffled By FCC Guidance

Some in the broadband industry are confused by the FCC’s guidance on privacy rules that broadband providers will be subject to starting next month. “I’m hesitating because we just found it stunningly unhelpful,” said one telecom lawyer. “And, you know, they’re sort of oblivious to the fact that for years now there’s been this ongoing debate and discussion in Washington and throughout the country on what does privacy mean, what are the core (tenets) of privacy,” the lawyer said, adding, ”to come out and say, ‘well just do that,’ it’s just laughable.” An FCC representative said the advisory was guidance about the agency’s thinking only and not evidence of a new rule or changes to already published rules. [The Hill]

US Government Programs

US – Rand Paul Speaks 11 Hours Against Patriot Act Renewal

Rand Paul spoke about the bulk collection of data. He spoke about civil forfeiture. He spoke about Section 213 of the Patriot Act, “this whole sneak-and-peek” that allows the government to come into a person’s house. He spoke about criminal justice. And spying. And a 1928 court case. And the Ninth Amendment. Every half-hour or so a new stenographer came over to stand by Paul’s desk, relieving the previous one. Most of all, Paul spoke about how the Patriot Act allows for the collection of bulk surveillance. “We should be in open rebellion, saying enough’s enough,” he said. “Where’s the outrage?” he asked. The chamber was nearly empty, save for a few staffers seated in the back and a security guard standing near the door. Five Senate pages sat on the steps of the dais, looking directly at Paul. One young woman twirled the end of her hair. A young man picked at his cuticles. [WashPost] [Republican presidential nominee Rand Paul attracts odd bedfellows in his talkathon] [NYT: Rand Paul’s Timely Takedown of the Patriot Act] [Rand Paul’s Senate ‘filibuster’: five great points he made about NSA surveillance] [After Rand Paul’s Sort-of Filibuster, What’s Next for Surveillance Reform?] [Rand Paul Speaks 11 Hours Against Patriot Act Renewal] [Patriot Act Phone Snooping Likely To Expire After Mcconnell Gambit Backfires] [Randstand: Republican Presidential Candidate Leads Bipartisan Opposition to Patriot Act] [Fight in Congress to Preserve NSA’s Metadata Program Comes to Naught] [NSA Surveillance Reform Bill Is A Sham That Violates Our Privacy] [National Journal: DoJ: Some NSA Programs Could Shut Down this Week]

US – Congress Pursues Deal on Phone Data Collection

The Senate left Washington with the government’s surveillance program in disarray after lawmakers mustered only 57 of the 60 votes needed to pass the House bill. The legislation would stop the N.S.A. from using a section of the Patriot Act to justify collecting reams of so-called metadata from phone companies — information that shows virtually every phone call, the numbers called and the times of the calls. Instead, the phone companies would hold those records, accessible to the N.S.A. through a search warrant. …Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in. [NY Times] [Obama Weighs Strategy as Data Laws Run Out]

US – Legislators Want PCLOB Strengthened

A bipartisan group of legislators wants to strengthen the Privacy and Civil Liberties Oversight Board (PCLOB). Sens. Ron Wyden (D-OR) and Tom Udall (D-NM) and Reps. Tulsi Gabbard (D-HI) and Trey Gowdy (R-SC) have introduced legislation “to expand the authority of the PCLOB and make its five board seats full-time positions,” the report states, noting that the Strengthening Privacy, Oversight and Transparency Act “would also give the PCLOB the ability to issue subpoenas without having to wait for the Justice Department.” Wyden said, “By giving the board a broader mandate and more authority, Congress can better protect the privacy and civil rights of law-abiding Americans.” [The Hill]

US – Warrantless Laptop Seizure at Borders Shouldn’t Be Rubber-Stamped, Rules Judge

“…The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable. Therefore, the motion to suppress the evidence …. will be granted.” Amy Berman Jackson, Federal judge, US District Court for Washington DC. [NakedSecurity] See also: [Canadian border security: Most travellers aren’t fully screened]

US Legislation

US – Experts Call for Data Collection Regulations

A lack of regulation for the data that products like smart watches and fitness trackers collect could translate into discrimination in the future and experts are calling for regulations, Computerworld reports. Santa Clara University’s Irina Raicu said, “The broader privacy concern is that information collected from various sources is increasingly being combined to create profiles from individual users and draw inferences about their future actions, preferences, etc.” Forrester’s Fatemeh Khatibloo said regulations are needed “to encompass … egregious and discriminatory uses of data.” She added, “It has to be a government role; I don’t think self-regulating trade bodies will do that effectively.” [Full Story]

US – HIPAA Revision Bill Passes Subcommittee

An amended version of the bipartisan 21st Century Cure Bill, which aims to advance medical innovation, has passed its first Congressional hurdle without any revisions to controversial provisions that would make significant changes to the Health Insurance Portability and Accountability Act Privacy Rule. On May 14, the House Energy and Commerce’s health subcommittee “approved a 302-page ‘markup,’ or amended, version of the 21st Century Cure bill,” which would penalize vendors of electronic health records who fail to meet standards for secure information-exchange, the report states. But some are displeased with the bill. David Holtzman of CynergisTek, for example, says the bill could result in “significant administrative hurdles and burdens.” [Gov Info Security]

US – FL Gov Signs “Revenge Porn” Law

Florida Gov. Rick Scott has signed legislation that makes posting “revenge porn” online a crime. Florida now joins another 16 U.S. states with similar laws. The “sexual cyberharassment” bill takes effect October 1, the report states, and “makes it a misdemeanor punishable by up to a year in jail to transmit nude pictures with identifying information about the subject of the images without that person’s consent.” The bill defines “cyberharassment” as distributing such images without consent and with the goal of “causing substantial emotional distress.” Additional offenses would be classified as felonies, the report states, and would carry penalties as high as five years in prison. [Reuters]

US – Student Privacy Bill Introduced; Markey and Hatch Push for FERPA Bill

Sen. David Vitter (R-LA) has introduced his own version of a student privacy bill, adding to the collection of those already drafted. Vitter’s Student Privacy Protection Act aims to give parents control over how their children’s data is released and used. “Parents are right to feel betrayed when schools collect and release information about their kids,” Vitter said in a statement. “This is real, sensitive information—and it doesn’t belong to some bureaucrat in Washington, DC.” Meanwhile, Sens. Ed Markey (D-MA) and Orrin Hatch (R-UT), wrote an op-ed why their school privacy bill is essential to children’s safety in the Digital Age. [The Hill] See also: [ON: Bishop Horden residential school survivors fight Ottawa in court]

US – Other US Legislative News

Workplace Privacy

CA – Employee Tracking Apps Raise Worker Privacy Questions

Privacy issues with employer tracking devices are increasingly coming to the fore, says David Fraser, partner at McInnes Cooper and a privacy law expert. …Canada’s privacy laws afford employers the right to monitor their workforce under certain circumstances, says Kirsten Thompson, the co-lead of McCarthy Tétrault law firm’s national cyber security, privacy and data protection group. …When companies decide to use such technology, they must have consent from their employees, who must understand what is being tracked and for what reason, she says. All companies should have a clear, easily available privacy policy that outlines their justification. …A company could argue that what its employees do outside of work can negatively impact their reputation, says Fraser. Employees would have to be aware that the monitoring is taking place beyond their shift, he says, and that the information gathered could be used to discipline them. Still, Fraser speculates that if a case similar to the Arias one appeared in Canada, the company would be told to “knock it off.” [CBC] [Vital to balance employee privacy with security: BC Commissioner] and [Employer is not vicariously liable for a rogue employee’s privacy breach]


01-15 May 2015


US – NSA Converts Spoken Words into Searchable Text

Experts in speech recognition say that in the last decade or so, the pace of technological improvement has been explosive. As information storage became cheaper and more efficient, technology companies were able to store massive amounts of voice data on their servers, allowing them to continually update and improve the models. Enormous processors, tuned as “deep neural networks” that detect patterns like human brains do, produce much cleaner transcripts. And the Snowden documents show that the same kinds of leaps forward seen in commercial speech-to-text products have also been happening in secret at the NSA, fueled by the agency’s singular access to astronomical processing power and its own vast data archives. [Intercept] [FirstLook: Speech Recognition is NSA’s Best-Kept Open Secret]

US – Professor Invents Long-Range Iris Scanner

A Carnegie Mellon engineering professor says he has invented a long-range iris scanner to help police identify potential suspects before approaching them in cars. Prof. Marios Savvides says it is first-of-its-kind technology. “Fingerprints, they require you to touch something,” he said, adding, “Iris, we capture it at a distance, so we’re making the whole user experience much less intrusive, much more comfortable.” The technology works at distances between six and 12 meters and could replace government IDs at places such as airports, the report states. Savvides said people are already being tracked every day, and that “if someone really wanted to know what you were doing every moment of the day, they don’t need facial recognition or iris recognition to do that.” [The Atlantic]

WW – Your Poop Is the Latest Privacy Threat

Microbe populations on the skin and in the mouth tend to fluctuate over time, so their genetic signatures don’t stay the same. That’s partially because the skin and mouth are exposed, so they constantly pick up new microbes from other people or from the environment. It’s also because relatively few species live in these areas, so there’s not a lot of diversity to contribute to a really unique signature. But the same isn’t true of intestinal bacteria, researchers found. They were able to match the genetic signature of gut bacteria in stool samples to their owners 86 percent of the time, even including some people who had taken antibiotics in the interim. Over 500 species of bacteria live in the large intestine, and some of them are strains which are actually unique to each person. They’re pretty isolated from the outside environment, too, which means their genetic signature is more unique and less prone to change. [Source]

Big Data

US – FTC, CFPB to Keep Pressure on Big Data Firms

Officials from the FTC and the Consumer Financial Protection Bureau (CFPB) vowed to keep pressure on organizations handling personal data. The FTC’s Jessica Rich said, “One of the big messages that we want to send to businesses … is that there are indeed laws currently on the books that apply” to big data, while the CFPB’s Peggy Twohig said the agency has conducted “significant research” on consumer reporting. The FTC plans to release a report on discriminatory uses of data. [Law360]

UK – ‘Big Data’ Processing Justified on ‘Legitimate Interests’ Grounds: ICO

Businesses do not always need consumers’ consent to process their personal data contained in ‘big data’ sets, the Information Commissioner’s Office (ICO) has said. …businesses can rely on the so-called ‘legitimate interests’ ground to process personal data too. Businesses can rely on this provision providing their interests in processing personal data do not unduly prejudice the rights and freedoms of individuals. In the big data guidance it issued last July, the ICO said businesses must process personal data fairly and in a transparent manner when undertaking big data initiatives. The guidance explained the extent to which businesses can rely on consent previously given by consumers to the processing of their personal data when they identify a new use for the data. [Source] [Chief Data Officer: Insight Into A Crucial Role for The Exabyte Age]

WW – The Philosophy of Privacy: Why Surveillance Reduces Us to Objects

Using the internet can be seen as a trade-off: privacy for freedom. But the insidious and widespread invasion of that privacy by a security state is something different altogether. Partly for this reason, writers like Jeremy Rifkin have been saying that information privacy is a worn-out idea. On this view, the “internet of things“ exposes the value of privacy for what it is: an idiosyncrasy of the industrial age. So no wonder, the thought goes, we are willing to trade it away – not only for security, but for the increased freedom that comes with convenience. This argument rings true because in some ways it is true: we do, as a matter of fact, have more freedom because of the internet and its box of wonders. But like a lot of arguments that support the status quo, one catches a whiff of desperate rationalisation about it as well. In point of fact, there is a clear sense in which the increased transparency of our lives is not enhancing freedom but doing exactly the opposite – in ways that are often invisible. [Source]


CA – Commons Passes Controversial Anti-Terror Bill

The conservative government’s controversial antiterror legislation is one step closer to becoming law. Bill C-51 passed the House of Commons this week by a vote of 183 to 96 and now heads to the Senate for final passage. The government is expected to give royal assent within weeks, the report states. Bill C-51 has been criticized by privacy experts, including Canada’s privacy commissioner, for its broad information-sharing provisions, and is said to threaten civil liberties. [The Huffington Post Canada] The bill’s many critics believe it overreaches in two key regards. One is CSIS’s expanded mandate to take “reasonable and proportional” measures to actively disrupt suspected threats to national security at their inchoate “pre-criminal” stage – before the RCMP would typically mount a criminal investigation. The other is the broader sharing of Canadians’ personal information across government and privacy concerns. The bill also underreaches in crucial regards, say opponents. There is no expanded independent, civilian oversight of the newly empowered state security apparatus, which is increasingly intertwined. There is no provision for existing federal watchdogs to share operational information or conduct joint investigations. And attempts to impose three-year sunset clauses on some of the more contentious provisions were rejected by the Conservative majority. [Ottawa Citizen] [Ottawa Citizen: House of Commons Set to Hold Final Vote on Anti-Terror Bill] Canada Poised to Pass Anti-Terror Legislation Despite Widespread Outrage [The Guardian] [Sorry Liberals, ‘Oversight’ Won’t Fix Menace of a Terror Bill] Bill C-51: They Appear to Know Not What They Have Done : C-51 introduces a new crime of “advocacy” of terrorism offences (“in general”). We think this is a horrible, unnecessary and unconstitutional speech crime. But having insisted on an “advocacy” crime, you’d expect the government to be concerned about how the same word “advocacy” is used elsewhere in the same bill. But by simply dropping the word “lawful”, the new info-sharing Act seems to preclude application of the new information sharing powers in relation to any sort of advocacy, protest or dissent, no matter how criminal or indeed, how violent. And so government officials will now need to spend a lot of time wondering if, e.g., violent conduct really is “protest” or “advocacy” or “dissent”, and whether they can still use the Act in relation to such conduct. Officials will also need to sit around and ask “shall we read the carve-out in the info sharing Act (now reaching both lawful and unlawful “advocacy” or whatever character) as excluding information sharing related to the new ‘advocacy’ crime?” Officials will make it work: basically, they’ll just ignore the incoherence and jam the round peg into the square hole of nonsensical legislative language. And so, to do their jobs, they’ll just have to ignore the law, because (as Shakespeare would say) the law is a total ass. And the Privacy Commissioner, reviewing this work-around, would act very properly in tearing a strip off of these officials. [Source: Craig Forcese] The Senate Liberals’ leader, James Cowan, told The Huffington Post Canada he hasn’t spoken to Liberal Party Leader Justin Trudeau, who supported the bill in the Commons, but he expects most of the Liberal team in the upper chamber to oppose the bill. …Trudeau kicked all his senators out of the Liberal caucus last year and barred them from organizing for the federal party. Despite the surprise banishment, the 29 senators decided to keep calling themselves Liberals anyway. Cowan said he has always believed the Senate should be more independent, and he hopes Conservative senators might eventually follow suit. [HuffPost] [Globe & Mail: Liberal Senators To Vote Against Anti-Terror Bill Trudeau Supported]

CA – Bill S-4 – Proposed Amendments to PIPEDA

The Office of the Privacy Commissioner (OPC) supported the bill in its June 4, 2014, Submission to the Senate Standing Committee on Transport and Communication, stating that on the whole, the proposed amendments will strengthen the privacy rights of Canadians with respect to their interactions with private sector companies, improve accountability and provide incentives for organizations to comply with the law. In its Feb. 12, 2015, Submission to the Standing Committee on Industry, Science and Technology, the OPC endorsed its June 2014 submission, but provided additional comments in light of the seminal decision of the Supreme Court of Canada in R. v. Spencer. The OPC noted that carrying out a reasonable expectation of privacy analysis under PIPEDA is highly complex and contextual, leaving organizations in a state of uncertainty as to when they may or may not disclose personal information without a warrant. Therefore, the OPC urged the Committee to clarify when the common law policing powers to obtain information without a warrant can be used. [Mondaq]

CA – B.C. Premier Defends Bill 20 Amendments

Andrew Weaver, the B.C. Green Party MLA, said he didn’t support the change. “In fact, I don’t, to be perfectly honest, think that it is anybody’s business apart from the voter and the chief electoral officer to know who or who has not voted. That’s a matter of privacy.” B.C.’s Information and Privacy Commissioner agrees. In a letter released last month, Elizabeth Denham wrote that the amendment extends beyond the objective of increasing voter turnout and expressed the concern that “the proposed amendments would allow for other uses and expand the already broad ability of political parties to collect information about voter participation.” [Source]

CA – Quebec School Officials No Longer Allowed to Strip Search Students

Following high-profile case of 15-year-old girl searched at Quebec City school, report recommends that only police officers conduct such examinations. Fabienne Bouchard, a former prosecutor and retired lawyer hired to conduct the probe, wrote a school that has serious grounds to believe a student is involved in drug trafficking should call police instead of carrying out the search itself. “The recommendations are clear and the investigation was necessary to clarify the practice and to clarify the law around the practice,” Education Minister François Blais said. He added that schools and police will need to co-operate in the coming weeks to find a solution on how they should deal with drug trafficking. [Star]

CA – CASL Reduces Spam Received By Americans, But Not Canadians: Report

The unusual findings may be due to the cross-border nature of the spam industry in North America. According to Cloudmark, most spam email originating in Canada (78%) is bound for the U.S., and most of the spam Canadians received (53%) comes from the U.S. Since CASL, spam outbound from Canada has dropped dramatically. However, while email received in Canada overall has dropped by 29%, much of that was due to a sharp decline in legitimate email. The average percentage of email received by Canadians that is spam actually increased from 16.5 to 16.6%. According to Cloudmark, the stricter requirements for consent for marketing emails under CASL are behind the drop in legitimate email volume. [Source]

CA – CRA Can Now Share Tax Filings With 16 Government Agencies

Until now, the CRA has only had permission to share this information with three other agencies (CSIS, RCMP and FINTRAC) and only under very specific conditions. That list has grown to 16 in total and now includes Canada Border Services, the Canadian Armed Forces and Citizenship and Immigration among others. The more people that have access to taxpayer information under Bill C-51, the higher the risk of leaks, hacks and other foul play, according to Avner Levin, the director of Ryerson University’s Privacy Institute. The change in legislation is “unprecedented,” he says. “It’s snooping and meddling of the worst kind.” [MoneySense]

CA – Canada Joins Global Sweep of Kids’ Online Privacy

Investigators will be looking at whether apps and sites gather personal information on kids, and if they do, whether that information is limited to what’s necessary (to create an account, for example). They will also examine whether the apps and sites prompt users to involve a parent or guardian in any registration process; and whether they take measures to make privacy policies understandable to kids. That means not just using simple language, but also using graphics or even animated characters to guide them through the information and to encourage parental involvement. The sweep, which began Monday and runs through

CA – Sask. Privacy Commissioner Investigates Government Information Leak

Executive council, Saskatoon Health Region, Oliver Lodge and the Ministry of Health all under investigation aftercare aide’s personnel documents released to media. Bowden said the province’s release of the information to the media was an attempt to silence him. He also wants to know why details of the allegations against him were released from SHR to the provincial government and then the media before him. He said he received word of his suspension on April 16 but did not get a comprehensive list detailing the accusations against him until April 24, four days after Young sent the email to media. Bowden filed a complaint with the Office of the Information and Privacy Commissioner (OIPC) because he said his privacy was violated when the details of his personnel file were emailed to reporters. OPIC will make the final decision. The commissioner will investigate the executive council, Saskatoon Health Region, Oliver Lodge and the Ministry of Health. [Source] [Star Pheonix: Sask Privacy Commissioner Probes Premier’s Office]

CA – Manitoba Court Rules Family of Man Who Died During ER Wait Can Sue

Vilko Zbogar, one of the family’s lawyers, said the ruling has important implications for the evolution of charter law, as well as the family’s pursuit of justice. “This is absolutely a landmark ruling on charter interpretation and on privacy rights,” he said. …The Appeal Court also restored the family’s right to sue the Winnipeg Regional Health Authority for disclosing private health information about Sinclair after his death. [The Record]

CA – Impaired Driving Trial Hears Arguments on Whether Police Violated Privacy Rights

Defence lawyer Pierre Joyal argued that a hospital emergency room is a space where citizens have a certain expectation of privacy, and that police had no reason or right to be standing so close to Snider’s medical team when they overheard privileged information. Even if they did overhear it, he said, it should never have been used to start gathering evidence against his client. “The expression is ‘what happens in Vegas stays in Vegas.’ Well, what happens in the emergency room stays in the emergency room,” Joyal noted in his relatively brief address to the court. “Nothing justified (police officers) being there.” [Montreal Gazette]

CA – Canada’s Friendly Drone Laws

Addressing privacy concerns may be as simple as ensuring that existing laws encompass drones. This is the approach taken by Hong Kong in its recent guidelines.. Similarly, Canada’s Privacy Commissioner has opined that Canada’s existing privacy laws apply to drones. While “lateral surveillance”—private citizens surveilling other private citizens—is often not covered by privacy statutes, torts such as intrusion upon seclusion may fill that gap. [Mondaq]

CA – Premier Cites an Official’s ‘Lapse In Judgment’ in Release of Information

Wall said Monday the senior staff member has been removed from the file and has had an exemplary record otherwise. “What I had asked for is that general information be provided to the media on background,” he said. “The first email in my view met that test … a second email went to one reporter … that had specific information.” [Winnipeg Free Press]

CA – Other Privacy News


US – Millennials Most Trusting of Generational Groups

Despite high-visibility data breaches, 44% of millennials in the U.S. believe “their personal information is kept private ‘all’ or ‘most of the time’ by the businesses or companies they do business with”—the highest of all major U.S. generational groups. The most skeptical generation is Americans aged 70 and older, with 29% believing their personal information is kept private all or most of the time and just over a third believing it’s kept private a little or none of the time. Generation X and baby boomers fall somewhere in between the two groups, “suggesting that expectations of personal privacy are age-related,” the report states. [Gallup]

US – DAA Sets Opt-Out Compliance Deadline for September

The Digital Advertising Alliance (DAA) announced that starting in September, “ad companies will have to allow people to opt out of receiving ads that are targeted based on data collected across mobile apps.” The self-regulatory group’s mobile privacy code, unveiled in 2013, requires ad networks and other companies to notify consumers about cross-app advertising and allow them to opt out via AppChoices, which the DAA released earlier this year. While the rules were announced nearly two years ago, a compliance deadline had not been set until now, the report states. “We give companies a reasonable amount of time to make sure that everything’s in order,” said the DAA’s Lou Mastria, [MediaPost]


US – DARPA Aims to Automate Privacy-Protecting Sharing

The Defense Advanced Research Projects Agency (DARPA) plans to consider public proposals on ways for organizations to expedite data sharing while protecting personally identifiable information (PII). Known as Brandeis, the initiative aims to “break the tension” between data protection and finding value in sharing data. DARPA Program Manager John Launchbury said, “Rather than having to balance these public goods, Brandeis aims to build a third option: Enabling safe and predictable sharing of data while reliably preserving privacy.” Purdue University Computer Science Prof. Gene Spafford said, “The objective really is to find a way to transform or mask the data so it’s still useable but eliminate those windows of potential exposure.” [BankInfoSecurity]

AU – Privacy Report Card Warns of Public’s Big Data Concerns

The Australian privacy commissioner says the shift to a simpler, consolidated service delivery model featuring one-stop shops is “an opportunity to place privacy respectful practices at the heart of customer services and build trust with the community”. Coombs wants to see greater protection for data that is sent interstate by government agencies, the right to anonymity and pseudonymity “where lawful and practicable” and mandatory reporting of serious breaches, “particularly if this is introduced into Commonwealth legislation”. [Source]

US – New App Lets Users Send Video of Police to ACLU

The ACLU of California has released a new mobile app for smartphones that lets users automatically send videos of police directly to the advocacy organization. ACLU of Southern California Executive Director Hector Villagra said, “We want to multiply the number of cameras that can be trained on police officers at any time,” adding, “They need to know that anything they do could be seen by the entire world.” However, some are raising privacy concerns about the app. “Everyone wants to keep an eye on the police,” said Loyola Law Prof. Laurie Levenson. “But in these incidents, the police are interacting with an individual involved in the worst conduct of their lives … The ACLU needs to consider their privacy rights.” [Los Angeles Times]


CA – CASL Reduced Legitimate Email as Much as “Spam”: Cloudmark Study

Average monthly email volumes received by Cloudmark customers in Canada declined by 29%, but the percentage of received email that Cloudmark assessed as “spam” actually increased, albeit by an insignificant amount (from 16.5% to 16.6%). In other words, the proportionate impact of the legislation for Canadian recipients has been as high or higher on “legitimate” traffic as it has been on true “spam”. [Source]

CA – Privacy Commish: Guidance for Privacy Law and CASL Compliance

The Guide is a reminder that commercial messages are regulated by both CASL (which regulates the sending of commercial electronic messages) and Canadian privacy laws (which regulate the collection, use and disclosure of email addresses in the course of commercial activities). The Guide explains some of the basic Canadian privacy law requirements for commercial electronic marketing activities. Following is a summary: ? Accountability: An organization is accountable for how the organization and its service providers collect, use and disclose personal information (including email addresses) in the course of commercial activities. [Source]

Electronic Records

US – Activist Wants Google Settlement Tossed

An activist has filed papers in the Ninth Circuit Court of Appeals opposing a judge’s approval of Google’s recent $8.5 million settlement in a privacy lawsuit. Theodore Frank is founder of the Center for Class Action Fairness and previously asked a judge to reject the deal, arguing it would not benefit Google’s users.[MediaPost]

US – Plaintiffs Want Blue Cross Suit Back in State Court

Blue Cross of California customers who allege the health insurer’s data security practices put millions at risk by exposing their Social Security numbers have urged a federal judge to send their putative class-action back to state court, arguing federal courts lack jurisdiction since the plaintiffs are not seeking monetary damages.


WW – Vint Cerf: Encryption Backdoors Are a Bad Idea

Recent calls by the FBI and other government officials for technology vendors to build encryption workarounds into their products is a bad idea, said Vint Cerf, who also said more users should encrypt their data and that the encryption backdoors the FBI and other law enforcement agencies are using will weaken online security. During a speech in Washington, DC, Cerf said because of the Internet’s myriad security challenges, more users and Internet service providers need to adopt measures like encryption, two-factor authentication and HTTP over SSL. He added that calls by law enforcement for technology vendors to build encryption workarounds into their products is a bad idea, the report states. “If you have a back door, somebody will find it,” he said, “and that somebody may be a bad guy.” [IDG News Service] [PC World]

US – Encryption Backdoor Legislation Looks Unlikely, For Now

The House Oversight and Government Reform Subcommittee on Information Technology held a hearing on encryption and law enforcement access to mobile devices. Though FBI Executive Assistant Director Amy Hess and Suffolk County (MA) District Attorney Daniel Conley testified on the need for law enforcement access to combat terrorism and criminal activity, there appeared to be little support from lawmakers. Rep. Ted Lieu (D-CA) said, “It is clear to me that creating a pathway for decryption only for good guys is technologically stupid, you just can’t do that.” Some remained optimistic, however, that a solution is possible. Rep. Will Hurd (R-TX) said, “I believe we can find a way to protect the privacy of law-abiding citizens and ensure that law enforcement have the tools they need to catch the bad guys.” Open Technology Institute’s Kevin Bankston said forcing U.S. businesses to install backdoors will drive away foreign customers and open the door for major breaches of personal information. [BankInfoSecurity]

EU Developments

EU – Digital Single Market Plans Unveiled

The EU has unveiled plans for a strategic Digital Single Market to help boost the region’s economy, better compete with U.S. technology firms and help “home-grown” start-ups. The 16 initiatives include reorganization of telecoms, cybersecurity and privacy. GE CEO Jeffrey Immelt said the single market “is a big deal” that “will add tremendously to competitiveness in the long term,” but critics caution Brussels may be putting “government officials in charge of how hugely popular online services are designed and implemented.” EU Digital Commissioner Gunther Oettinger said, “If you look at the platforms they have in the U.S., national data rules play an increasingly reduced role,” while Re/code offers several leaked documents and reports on what to expect from this latest initiative. [The Wall Street Journal] [Companies Urged To Prepare Themselves As Latest EU Data Law Proposals Threaten Digital Marketing Industry]

EU – Right to Redress for EU Citizens Pushes Data-Sharing Deal Forward

The EU and the U.S. are close to completing negotiations on a deal protecting personal data shared for law enforcement purposes such as terrorism investigations. The negotiations hit a point of contention because of a lack of legal redress for EU citizens in U.S. courts in cases where data may have been misused, while U.S. citizens have that right in the EU. But the Judicial Redress Act, introduced in the U.S. in March and aiming to giving citizens of U.S. allies the right to sue over data privacy in the U.S., has pushed things in the right direction, the report states. [Reuters]

EU – Lawmakers in France Move to Vastly Expand Surveillance

The provisions, as currently outlined, would allow the intelligence services to tap cellphones, read emails and force Internet companies to comply with requests to allow the government to sift through virtually all of their subscribers’ communications. Among the types of surveillance that the intelligence services would be able to carry out is bulk collection and analysis of metadata similar to that done by the United States’ National Security Agency. The intelligence services could also request the right to put hidden microphones in a room or on objects such as cars or in computers, or to place antennas to capture telephone conversations or mechanisms that capture text messages. Both French citizens and foreigners could be tapped. [New York Times] [France Set to Join the Spy Game]

EU – France Passes New Surveillance Law in Wake of Charlie Hebdo Attack

One of the most contentious elements of the bill is that it allows intelligence services to vacuum up metadata, which would then be subject to analysis for potentially suspicious behaviour. The metadata would be anonymous, but intelligence agents could follow up with a request to an independent panel for deeper surveillance that could yield the identity of users. Another controversial element is the so-called “black boxes” – or complex algorithms – that internet providers will be forced to install to flag up a succession of suspect behavioural patterns online, such as keywords used, sites visited and contacts made. Surveillance agencies will also be able to bug suspects’ homes with microphones and cameras and add keyloggers to their computers to track every keystroke. [The Guardian] [Familiar Swing to Security Over Privacy After Attacks in France] [France doubles down on their war on cash and passes next phase in war on privacy] Five Dangers of France’s New Snooping Laws: Basically the bill will allow the implementation of intrusive measures such as placing cameras and recording devices in private dwellings and install “keylogger” devices that record every key stroke on a targeted computer in real time. But without any independent checks and due diligence that an independent judge would normally provide. [Source]

EU – Germany is Accused of Spying on Friends

Within the past two weeks, the tide has turned. Ms. Merkel is back in the spotlight over spying. This time it is Germany‘s foreign intelligence service, known here as the B.N.D., that is being accused of monitoring European companies and perhaps individuals. Further, the reports said the spying was done at the behest of the National Security Agency, the United States intelligence organization. …The accusation was angrily rebutted by Gerhard Schindler, head of the B.N.D. He dismissed as “absolutely absurd” any suggestion that his agency was “a compliant tool” of the Americans. …The current flare-up started on April 23 when Der Spiegel reported that since at least 2008, a division of the B.N.D. had helped the NSA to spy on European and German interests, including the French-German enterprise European Aeronautic Defense and Space, now known as the Airbus Group. [New York Times] Pressure Mounts on Merkel to Explain German Role in N.S.A. Espionage: Ms. Merkel and other members of her conservative bloc have argued that the intelligence agreement is vital to protecting Germany’s 80 million or so citizens against Islamic terrorism and other threats. They have continued to defend the trans-Atlantic cooperation since the latest controversy erupted. But even conservatives have begun to express their weariness over what they characterize as repeated American attempts to use intelligence cooperation to spy on European institutions or firms in a way they say jeopardizes joint projects.

EU – Ireland Beefs Up Data Privacy Office

The agency, like counterparts in other EU states, regulates how companies deal with privacy issues—for instance, whether companies inappropriately send email advertising, collect too much information from customers or keep accurate records. The rules are generally tighter than in the U.S. Ireland’s data protection office was created in 1988, when only a handful of large, data-based firms had big operations in Europe. As companies flocked to Ireland, the agency’s resources didn’t keep up. Until this year, its only office has been above a convenience store in Portarlington, a town of less than 8,000 people more than an hour’s drive west of Dublin. [Wall Street Journal] [How Ireland’s Data Protection Czar Views Global Tech Firms]

EU – GDPR is the Biggest Threat to Business Continuity for a Decade

This time next spring, or earlier, there’s likely to be a mad panic within sales and marketing departments as companies struggle to beat the deadline for making significant changes to data protection and security or risk facing punitive fines equivalent to up to 5% of global turnover or E100m. Ahead of the GDPR, sales and marketing professionals should follow these top ten steps to ensure that their future marketing efforts within the EU will be compliant. [Source]

EU – Facebook Escapes DPA’s Fines for Now

Facebook has temporarily escaped daily fines over its revamped policy for users’ photos and data. The Dutch Data Protection Authority (DPA) said it lifted the threat of combined penalties totaling as much as 750,000 euros, the report states, “after Facebook agreed to provide information needed to weigh the next steps in the investigation announced in December.” The DPA stepped in last year after Facebook alerted users of changes to its policy in which it claimed the right to use their information and images for commercial purposes. The DPA sought a suspension of Facebook’s new policy pending an investigation or said it would face fines, and Facebook opted to go to court over the dispute. [Bloomberg]

EU – French Lower House Approves Expanded Surveillance Powers

The lower house of the French Parliament has overwhelmingly approved surveillance measures “that could give the authorities their most intrusive domestic spying abilities ever, with almost no judicial oversight.” The bill now moves to the upper chamber, where it is also expected to pass. Prime Minister Manuel Valls said, “The last intelligence law was done in 1991, when there were neither cell phones nor Internet.” The bill allows intelligence authorities access to cell phones and email; mandates service providers let government review virtually all subscriber data, and lets intelligence services carry out bulk collection and analysis of metadata. Paris Bar Association’s Pierre-Olivier Sur said it is “a sort of PATRIOT Act concerning the activities of each and every one.” [The New York Times] The New York Times offers an analysis of France’s move to vastly expand government surveillance powers in the name of public safety.

UK – Deputy PM Clegg Calls for Digital Bill of Rights

Deputy Prime Minister Nick Clegg has called for a new Digital Bill of Rights, initially called for after the Snowden revelations, to be introduced within six months of the new Parliament to “stop information about us being abused online, and to protect our right to freedom of speech.” Monty Munford writes that the 2015 Digital Rights Survey found that while the majority cited privacy concerns about their data, few took appropriate actions to protect it. It will take someone disproportionately famous who could make a Digital Bill of Rights a reality, Munford writes, citing none other than David Beckham. [The Telegraph] [GovInfoSecurity: The Privacy Impacts of the Elections]

UK – Theresa May to Revive Her ‘Snooper’s Charter’

Election results were barely in when the home secretary indicated the Tories will increase state surveillance powers, to the alarm of privacy campaigners. Speaking as early results indicated the Conservatives would form a government with a Commons majority, Theresa May said increased surveillance powers was “one very key example” of Tory policy that was blocked by the coalition arrangement with the Liberal Democrats in the previous government. May’s remarks alarmed privacy campaigners who fear a Conservative government will revive the controversial draft communications bill, which was beaten last year after the Lib Dems withdrew their support. That law, labelled a snooper’s charter, would have required internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year. May said in a BBC interview: “David Cameron has already said, and I’ve said, that a Conservative government would be giving the security agencies and law enforcement agencies the powers that they need to ensure they’re keeping up to date as people communicate with communications data. [Guardian] [NY Times: David Cameron Seeks New Powers to Combat Extremism in Britain]

EU – ‘Right To Be Forgotten’: One Year On

Over the last 12 months, Google has processed 253,617 data removal requests, and agreed to just over 40 per cent of those. The legislation has received heavy criticism from a number of parties, including the House of Lords EU Committee, which described it as “unworkable and wrong”, and Wikipedia founder Jimmy Wales, who described it as “deeply immoral”. However, the UK’s data protection watchdog, the Information Commissioner’s Office (ICO), has defended the legislation, claiming that it has “raised awareness of people’s data protection rights” and that removal of links from search results “can have a real benefit”. [Telegraph]

EU – Other Privacy News

  • Maryland Law Prof. Frank Pasquale reacts to leaked documents from the office of EU Digital Commissioner Günther Oettinger in which the regulator called for “a central EU-wide body with the power to monitor platforms’ use of data, and to resolve disputes between the operators and the businesses they serve.” In this column for The Guardian, Pasquale writes, “This is far-sighted, important planning.”

Facts & Stats

US – Survey Suggests 70 Million Had PI Breached in 2014

A new survey projects that more than 70 million adults in the U.S. had their personal information compromised in 2014. The survey, which polled more than 3,000 American adults, found that while some incidents may have resulted from stolen credit cards, many stemmed from data breaches—and not only online. The survey found that 79% of those notified of a data breach were told by a brick-and-mortar store or a financial institution, the report states. Only 18% said the problem originated at an online retailer. “The study arguably highlights the need for stronger consumer protections,” the report states. [Consumer Reports]

WW – The Projected Cost of Those Breaches? $2.1 Trillion

A new study from Juniper Research reveals that data breaches will cost organizations more than $2 trillion during the next four years. The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation equates that to approximately 2.2% of global GDP or an average of $6 million per organization hit by a breach. “Typically the most expensive forms of cybercrime are data breaches,” the study states, adding, “those attacks which result in the criminals seizing business or personal records.” In separate research, the Ponemon Institute reveals that information technology assets are insured 39%- less than physical assets. The report states that “companies are reluctant to purchase cyber-insurance coverage” even though they foresee greater cyber risk. [IT Pro]

WW – IT Pros See Data Privacy as Top Concern

A new study conducted and released by Dimensional Research reveals that data privacy is now a top concern for IT professionals. According to The State of Data Privacy in 2015, 93% of businesses face data privacy challenges and 77% of businesses exceeding 5,000 employees are investing more into privacy in 2015. What’s more, 84% of the IT professionals surveyed said their focus on data privacy is escalating this year. A top concern for IT professionals is a lack of awareness among employees about existing privacy policies, followed by an insufficient budget to train employees. [BusinessSolutions]

US – The Rise of the Chief Data Officer is Upon Us

The rise of chief data officers (CDO), a reflection of “the central role that data now plays in every facet of society,” the report states. A 2015 study from IBM’s Center for Applied Insights that surveyed 250 chief information officers from large organizations found that 61% wanted their employers to recruit CDOs in the next year. “The emergence of chief data officers at major agencies and departments is a promising sign that the federal government continues to execute on President Obama’s open data vision and his 2013 executive order,” said Nick Sinai, former deputy U.S. chief technology officer. [TechRepublic]


WW – Facebook Study Examines “Filter Bubble”

A study conducted by Facebook data scientists and published in Science contends the so-called “filter bubble“—the possibility that users create their own insular, online echo chambers—is not occurring on the social networking site. The peer-reviewed study looked at 10.1 million politically partisan American users and revealed that while their friend networks and the stories they read are, in fact, skewed toward their ideology, the effect is more limited than expected, the report states. Eli Pariser, who coined the term “filter bubble,” said the study “shows that the effects that I wrote about exist and are significant, but they’re smaller than I would have guessed.” The study has its critics, however, including Prof. Zeynep Tufekci. [The New York Times]

EU – RTBF Less of a Censorship Issue than Originally Thought?

Internet censorship concerns over the European Court of Justice’s decision in favor of the Right To Be Forgotten (RTBF) appear to be unfounded, new Reputation VIP data shows. While individuals are responding to the ability to strike personal information from search engines in large numbers—according to Google reports, the rate of request has been averaging 500 per day—findings illustrate that “invasion of privacy” serves as the catalyst for 58.7% of requests, followed by “damage to reputation” at 11.2%. Collectively, social media sites lead the charge for reported URLs at 20%. “Much of the criticism of the RTBF has centered on fears of criminals erasing bad behavior, leading to cries of censorship. But this data suggests those fears mischaracterize the mainstay of RTBF requests.” [TechCrunch]


US – Facts About FATCA, America’s Global Disclosure Law

FATCA requires foreign banks to reveal Americans with accounts over $50,000. Non-compliant institutions could be frozen out of U.S. markets, so everyone is complying. …More than 80 nations—including virtually all that matter—have agreed to the law. So far, over 77,000 foreign financial institutions (FFIs) have signed on too. Countries must throw their agreement behind the law or face dire repercussions. Even tax havens have joined up. The IRS has a searchable list of financial institutions. Countries on board are at FATCA – Archive. [Forbes] An American Tax Nightmare: There is no recourse and no appeal process. Those impacted are left with the choice of uprooting their families (including foreign spouses and children), careers and businesses to re-establish a life in the United States; or to make the painful decision to renounce their citizenship. Without significant and timely changes, that will only be the tip of the iceberg as foreign financial institutions continue their search for unprofitable American accounts. Remember, the vast majority of those renouncing citizenship are not wealthy tax evaders trading their passport for income tax savings; they are middle-class Americans, living overseas, fully compliant with their U.S. tax and reporting obligations. [NYTimes]


CA – Shredding at Legislature Prompts Privacy Commissioner to Weigh In

The commissioner’s office issued a news release, in part to answer questions raised by the public and media about shredding in the wake of the Tories’ defeat in the recent election. Following the NDP’s historic win, photos have been posted on social media of giant bags of shredded paper sitting outside legislature offices. That has led to concerns — or conspiracy theories — the PC government, which has been in power for 44 years, might be frantically discarding evidence of secrets, scandals or other valuable information that has been kept from the public eye. [Edmonton Journal]

US – School Districts, Nonprofit Team Up for Ed-Tech Rating System

More than 20 school districts have teamed up with Common Sense Media to establish a rating system for the privacy policies of educational-technology products. The “Common Sense Privacy Ratings Initiative” will be announced at a conference in June and operationalized later this year. It will likely use a color-coded key so schools can easily understand companies’ compliance with privacy standards. “There’s a lot of pressure on districts, from parents and legislators,” to ensure ed-tech tools comply with applicable laws, explained Omar Khan, the nonprofit’s chief product and technology officer, noting the privacy rating system is still being developed. [Education Week] [Edtech Privacy by Design: The Teacher as Privacy Entrepreneur]


US – Microbiome DNA Raising Privacy Concerns

According to new scientific research, the microbiomes—what some call the “gut print”—in the human body can be used to uniquely identify individuals. The research suggests the possibility of identifying previously anonymous participants and revealing data including health, diet or ethnicity. The National Institutes of Health currently contains a publicly available trove of human DNA, the report also states, and Harvard’s Curtis Huttenhower notes, “Right now, it’s a little bit of a Wild West as far as microbiome data management goes … As the field develops, we need to make sure there’s realization that our microbiomes are highly unique.” Separately, Al Jazeera America asks whether DNA will be the next frontier in privacy. [Nature]

WW – Is DNA the Next Frontier In Privacy?

Obama has called for 1 million genomes to be sequenced, but government is mum on how it will protect genetic data. At a hearing about the Precision Medicine Initiative in front of the Senate Health, Education, Labor and Pensions Committee on May 5, Democratic Sen. Patty Murray of Washington state warned of the risks to privacy. “In the last few months we’ve seen serious security breaches impacting families’ personal health information, and that’s unacceptable,” she said. “We need to be aware that data is being created that cybercriminals will want to exploit, and that means we will need to develop a strategy to protect privacy that meets today’s challenges.” Collins responded that the White House, the NIH and the Office of the National Coordinator for Health Information Technology were all “deeply serious” about protecting the data of its volunteers. [Source]

Health / Medical

US – Bill Would Lift Patient Authorization Requirements

Some privacy experts are concerned with a draft bill that would weaken HIPAA privacy protections. The 21st Century Cures bill proposes the Department of Health and Human Services “revise or clarify” the HIPAA privacy rule’s provisions on the use and disclosure of protected health information (PHI) for research purposes. The bill would not require patient authorization for the release of PHI for research if covered entities or business associates are involved. David Holtzman, CIPP/G, said the provisions in the draft bill “roll back essential protections of the control that patients have over how their information is used and disclosed.” [Gov Info Security]

US – AHA: Privacy Rules Potential Deterrent to Telehealth Adoption

A report by the American Hospital Association (AHA) says health privacy regulations are one of the potential deterrents to telehealth adoption. “As telehealth utilization expands, however, myriad significant federal and state legal and regulatory issues will determine whether and how hospitals, health systems and other providers can offer specific telehealth services,” the AHA said. While telehealth technologies can create new electronic health information, they can also create operational challenges for hospitals aiming to stay compliant with state and federal rules. The AHA recommends hospitals update and adapt their data privacy and security practices to respond to the new risks telehealth technologies present. [HealthIT Security] See also: [ONC Guide to Privacy and Security of Electronic Health Information]

US – The Risks Increase for All Entities

Risks to healthcare IT security are growing. Every 60 seconds, 232 computers are infected with malware and 12 websites are successfully hacked, the report states. Plus, medical records are worth $60 on the black market, where credit card data is worth $20. “That makes us significant targets,” said Intermountain Healthcare CISO Karl West. Meanwhile, ID Experts President and Cofounder Rick Kam writes for Government Health IT why size doesn’t matter in health data breaches. For example, while large organizations used to be the primary targets, mid-sized organizations with presumably smaller cybersecurity budgets are now becoming targets. [Healthcare IT]

US – While Not ‘Back to the Drawing Board,’ Stage 3 MU Needs Revision

The Meaningful Use Stage 3 proposal, while mostly “beneficial,” isn’t without fault, finds the Office of the National Coordinator (ONC) Health Information Technology (HIT) Privacy & Security Workgroup. In its critiques, the group cites five necessary improvements, most specifically in the areas of “user guidance” on safe use and “patient access,” requesting the development of education materials for consumers as well as more sophisticated methods of identity protection, even “a need to certify patient-facing health applications.” The ONC was careful to recognize the extent of its requirements, and as such is offering assistance with revisions as the proposal moves forward, reports. [Source]

Horror Stories

US – Ponemon Study: Criminal Breaches Now Outnumber Accidents

According to the Ponemon Institute’s Fifth Annual Benchmark Study on Patient Privacy and Data Security, data breaches caused by criminals outnumbered accidental ones for the first time, CSO reports. “Over the five years, the percentage of incidents that occur due to criminal attacks versus negligence has increased by 125%,” said Larry Ponemon, CIPP/US, chairman and founder of the Ponemon Institute. In the last two years, “91% of healthcare organizations reported at least one breach; 39% reported two to five data breaches, and 40% had more than five data breaches,” the report states. And, Ponemon said, that could be undercounting. [Source]

US – Men Arrested for Harvesting Data

Two men alleged to have developed an app enabling criminals to harvest personal data from users of photo-sharing site Photobucket have been arrested. The app allowed users to access password-protected accounts containing private photos. It’s unknown how many users were affected. If found guilty, Brandon Bourret and Athanasios Andrianakis face a maximum of five years in prison and a $250,000 fine for computer fraud and an extra prison sentence of up to 10 years and another $250,000 if they are found guilty of two counts of access device fraud, the report states. The men were arrested in the U.S. [BBC News]

US – Judge Dismisses eBay Class-Action; Hospital Hacked

A federal judge has dismissed a class-action lawsuit filed against eBay following a 2014 data breach exposing encrypted passwords and personal information for 145 users. The suit alleged the breach resulted in economic damages for eBay users, including potential identity theft, but experts say plaintiffs would have had to prove actual or threatened injury to have been successful. Meanwhile, Massachusetts-based Partners HealthCare System is being criticized for allowing employees to send sensitive patient data via email after hackers gained access , and the official federal tally of major health data breaches shows the healthcare sector continues to be a growing target for hackers. [GovInfoSecurity]

WW – Who Should Pay for Breaches?

A recent study from Experian Data Breach Resolution and the Ponemon Institute from the perspective of “who should be responsible for securing payment systems and how effective their organization is in preparing for and responding to a payment card breach.” In detailing the results, the report states respondents indicate breach prevention is a growing priority. “Companies in the payments industry face a huge challenge keeping up with securing new technologies to protect customer data and with cybercriminals,” said Experian’s Michael Bruemmer. Meanwhile, PYMNTS reports on how a revised data breach notification law could exempt “minor cybersecurity breaches,” while breaches have spurred lobbying for the proposed Cybersecurity Information Sharing Act. [Help Net Security]

US – Sally Beauty Breached Again

Beauty products seller Sally Beauty has confirmed it’s suffered its second data breach in just over two years; a new independent report by Forrester Research discusses the ways firms are “exposing themselves to unnecessary risks” by using outdated approaches to verify employee access to data, and in ZDNet, Steve Wilson says it’s time to “turn up the heat on enterprise IT” to stop breaches from happening.

US – Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software. The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions. [Krebs]

Identity Issues

AU – Pilgrim: Metadata Is PI

After 22 months, journalist Ben Grubb should now be able to access his own metadata from Internet provider Telstra. That’s because Privacy Commissioner Timothy Pilgrim “has ruled that metadata is personal, finding that Telstra must hand over information it holds about a journalist, two years after he exercised his legal right to see his personal metadata.” However, the story may not be over. The Australian reports telcos are unhappy with the decision. “Australia’s telcos have reacted with dismay,” the report states, adding, “Telstra quickly announced an appeal, and Communications Alliance Chief John Stanton issued a statement saying the industry could not afford to apply such a policy.” [ABC]

Internet / WWW

WW – Global Privacy Sweep Focusing on Children

The Global Privacy Enforcement Network plans to focus its 2015 international privacy sweep on the proliferation of websites and mobile applications targeted at children. The sweep involves 29 data protection authorities in 20 countries. “Children are more connected than ever before, and these platforms must bear that in mind when seeking thanks potentially sensitive data such as name, location or e-mail address,” said Canadian Privacy Commissioner Daniel Therrien. “This is about protecting children. I can’t think of anything more important than that.” The sweep will assess whether the apps and websites examined collect personal information from children and the controls in place to limit that collection. [Source] [Majority of App Developers Contacted by OPC Commit to Improve Privacy Communications In Wake Of GPEN Sweep ]

WW – Facebook Project and Microsoft App Draw Criticisms

Facebook’s initiative, aimed at bringing free basic Internet services to users in developing countries, is being described by critics as a “privacy nightmare” because users will be tracked on partner sites, the traffic will be unencrypted and data will be shared with third parties. Meanwhile, Web Security reports on privacy concerns related to Microsoft’s new app that guesses people’s ages and genders via an uploaded photograph. The app, which has had 210,000 images uploaded, now has users concerned about possible privacy breaches and Microsoft’s ability to use images across its services per its terms. Microsoft engineers have said the company neither stores nor uses the photos. [ITProPortal]

US – Online Trust Alliance to Lead IoT Initiative

The Online Trust Alliance (OTA) announced it is leading an initiative to develop a security, privacy and sustainability trust framework for Internet of Things (IoT) devices. The framework aims to provide clarity and confidence to consumers and will initially focus on connected home and wearable/fitness technologies, according to a press release. OTA hopes to use the framework as the basis for a potential certification program for IoT devices and their manufacturers. OTA’s Craig Spiezle said because of the rapid development of IoT products on the market “we must ensure that security and privacy best practices are integrated to maximize consumer protection.” A working group meeting is scheduled for June 16. [Source]

WW – As Sensors Shrink, Wearables Moving Toward “Disappearables”

While wearables may be the hot thing now, the subject of Article 29 Working Party, Federal Trade Commission and U.S. Congressional scrutiny, a new report says they will soon give way to “disappearables,” devices that are so small that they’ll be integrated in the ear, under the skin or woven into clothing. “In five years … everything we see now will absolutely be classified as toys,” says Nikolaj Hviid, who makes smart earbuds called the Dash, which are shaped as hearing aids and allow for music playing, phone calls and monitoring of health indicators. This shift is being driven by chips that use Bluetooth technology and are far smaller and less power hungry than previous versions. [Reuters]

Law Enforcement

US – New State Law Requires Warrants Before Stingray Deployment

Washington Gov. Jay Inslee has signed a bill into law that will require law enforcement to get a judge-approved warrant before deploying a stingray, or cell-site simulator. To obtain a warrant, police will have to disclose the device’s use to a judge and discard cell-phone data from those not associated with the specific investigation, the report states. The Center for Democracy & Technology’s Harley Geiger said the move exemplifies the increasing trend of state governments taking action in lieu of federal legislation. “Stingray technology is just one of many examples of domestic mass surveillance that has the public troubled,” Geiger said. [SC Magazine] SEE ALSO: California County Calls Off Stingray Purchase: Officials in Santa Clara County (California) have said no to the acquisition of cell-site simulator technology known as Stingray. The purchase was initially approved earlier this year, but a lengthy negotiation found the county was unable to reach an agreement with Harris Corporation, the device manufacturer. [Ars Technica]

US – Debt Collectors Linked to ALPR Lobby

In addition to the backing of police departments, automated license plate readers (ALPRs) also allegedly have the support of some in the financial industry. Journalist Lee Fang filed a records request in Rhode Island and found two letters of opposition to a proposed state law limiting how ALPR data is used and shared. One letter was written on behalf of the Rhode Island State Police; the other came from American Financial Services Association Senior Vice President Danielle Fagre Arlow, who wrote of “ALPR’s valuable role in our industry—the ability to identify and recover vehicles associated with owners who have defaulted on their loans and are not responding to good-faith efforts to contact them.” [The Intercept]

US – Justice Dept. Will Spend $20 Million on Police Body Cameras Nationwide

Federal officials plan to award nearly $20 million in funding to dozens of departments, about a third of them small law enforcement agencies. In addition, another $1 million will be set aside so that the Bureau of Justice Statistics can figure out how to study the actual impact of these cameras. [WashPost] The DOJ document which outlines eligibility for the grants states that law enforcement agencies will have to develop or build on a policy which includes the “Implementation of appropriate privacy policies that at a minimum addresses BWC program issues involving legal liabilities of release of information, civil rights, domestic violence, juveniles, and victims’ groups.” However, the document includes few specific details about what policies will have to include in order to be deemed to have addressed these issues. [CATO: We Should Be Wary of Federal Body Camera Funds] [USA Today: States, Civil Liberty Advocates Collide Over Police Body Camera Policy] See also: [Toronto Police Will Be Allowed to Turn Body Cameras Off, Won’t Record Carding]


US – FTC Details Privacy “Trade-Offs” in Retail Tracking

In a new blog post, U.S. FTC Chief Technologist Ashkan Soltani shares a deep-dive into the emerging retail tracking landscape. “In light of the Commission’s proposed settlement with Nomi and the ongoing public debate,” Soltani writes, “I thought it would be worthwhile to describe how different retail tracking technologies work, and in my opinion, the specific trade-offs of each approach.” In addition to an overview of the landscape, Soltani provides an in-depth look at the various identifiers used, as well as how notice and choice are being offered. “Given the variety of approaches,” he adds, “there are a number of things that industry could do to alleviate the privacy concerns and address some of the gaps in consumer awareness.” [Blog]

Online Privacy

WW – IBM and Facebook Pair Up to Bolster Data-Fueled Advertising

IBM and Facebook have announced a partnership to use their “complementary strengths” to bolster data-fueled marketing efforts. “Our clients have urged us to bring Facebook into the equation because it is so important,” said Deepak Advani, general manager of IBM Commerce. “Facebook is where consumers spend a lot of their time.” The idea is that Facebook will benefit from IBM’s data analytics strengths while Facebook will provide insights on human behavior and preferences. “We both want to connect people with brands. Our objectives are very much aligned. And we share quite a few major clients,” said Blake Chandlee, Facebook’s vice president of partnerships. [The New York Times]

US – Researchers: Parents’ Social Posts Can Reveal Sensitive Personal Data

A new study reveals that one of the biggest threats to children’s online privacy could be parents. Researchers from New York University (NYU) Polytechnic School of Engineering and NYU Shanghai will release a paper demonstrating that parents’ online behavior can compromise their children’s privacy, particularly through posting photos of their children on social media. By analyzing such publicly available photos with public records, including voter registrations, the researchers found personal information about children, including their names, birthdays and home addresses. “By demonstrating just how much information can be gained about a child through adults’ online activities, we hope to spur parents to take precautions to minimize their children’s exposure online,” said Kevin Liu, one of the researchers. [Source]

WW – Google to Give Mobile Users “More Control”

Google is planning to give its mobile users more control over what information applications can access. An announcement that Google’s Android operating system is set to give users more detailed choices over what apps can access is expected this month. The change would bring it closer in line with Apple’s operating system, iOS, the report states, noting Google is seeking to attract users to its mobile services as they increasingly go online via wireless devices. A Google spokesperson declined to comment, according to the report. [BloombergBusiness]

Other Jurisdictions

CN – Draft National Security Law Aims for “Cyber Sovereignty”

Draft legislation proposed by the standing committee of the National People’s Congress would include a “cyberspace ‘sovereignty’ clause.” “The state establishes national Internet and information-security safeguard systems,” the draft states, “and protects national Internet space sovereignty, security and development interests.” Additionally, China must “achieve security and control in Internet and information core technology, key infrastructure and important data and information systems.” Earlier reports on the nationwide security legislation included powers for handling “harmful moral standards.” The draft also calls for strengthening the country’s banking infrastructure and for improvement to financial systems “to withstand international risks and shocks,” the report states. [Reuters]

AU – Framework Aims to Embed Privacy Culture in Australian Organisations

Australian Information Commissioner Timothy Pilgrim is encouraging organisations to embed sound privacy practice into their operations with the release of a new privacy management framework. In an assessment of the online privacy policies of 20 organisations operating in Australia, including Twitter, Microsoft, Instagram, and Westpac, the OAIC revealed that 55 percent of the organisations’ policies did not meet one or more of the basic content requirements under APP 1, which requires organisations and agencies to have a privacy policy that is clearly expressed and up to date. While all the policies assessed adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected, said the OAIC. [ZDNet] See also: NSW Privacy Commissioner Elizabeth Coombs is calling for amendments to the state’s Privacy and Personal Information Protection Act, including mandatory breach notification.

AU – Australians Willing to Sacrifice Privacy for Security

Around 600 people were surveyed following last year’s synchronised anti-terrorism police raids. A similar number were surveyed following Sydney’s Lindt Cafe siege. Security measures ranked more than 50 per cent ‘acceptable’ in the surveys included internet monitoring, mandatory DNA record-keeping, facial recognition technology, biometric scanning at airports, national ID cards, access to all travel information, bomb detection for vehicles in parking areas and x-ray scanning at major events and transport terminals. “It seems Australians are fairly ready to trade off quite strong incursions into their personal privacy if they believe these will be effective in making their world safer,” said researcher Dr Simon Fifer. “As Australians, we like to think of ourselves as naturally a bit rebellious towards authority but our research is really not supporting that stereotype.” [Source]

Privacy (US)

US – Federal Court Rules NSA Bulk Surveillance Illegal

The Court of Appeals for the Second Circuit ruled today that the bulk collection of phone metadata by the National Security Agency is illegal. Instead of looking at the constitutionality of the program, the court ruled it went beyond the scope of what Congress intended when it passed the USA PATRIOT Act. The 97-page ruling concluded that a provision of the law allowing the Federal Bureau of Investigation to collect business records relevant to combating terrorism cannot legitimately lead to bulk surveillance of domestic phone records, the report states. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so and to do so unambiguously,” the judges wrote. [The New York Times] [New York Times: Why the N.S.A. Isn’t Howling Over Restrictions]

US – Warrantless Laptop Seizure at Borders Disallowed, Rules Judge

“The Court finds, under the totality of the unique circumstances of this case, that the imaging and search of the entire contents of Kim’s laptop, aided by specialized forensic software, for a period of unlimited duration and an examination of unlimited scope, for the purpose of gathering evidence in a pre-existing investigation, was supported by so little suspicion of ongoing or imminent criminal activity, and was so invasive of Kim’s privacy and so disconnected from not only the considerations underlying the breadth of the government’s authority to search at the border, but also the border itself, that it was unreasonable. Therefore, the motion to suppress the evidence …. will be granted.” Amy Berman Jackson, Federal judge, US District Court for Washington DC, [NakedSecurity]

US – New Attorney General Expected to Pursue Microsoft Overseas

Newly appointed U.S. Attorney General Loretta Lynch will continue to back the Justice Department’s (DoJ) warrant compelling Microsoft to hand over customer data stored on servers in Ireland. Despite the change in leadership at the DoJ, a spokesperson said the agency’s position has “not changed.” Federal prosecutors have sought the customer data since December 2013, but Microsoft has refused to hand it over, arguing the warrant does not have jurisdiction over data stored in foreign data centers. The outcome of the case will have huge implications for U.S. technology companies. Oral arguments for the case are expected later this summer, but a date has not yet been set, the report states. [ZDNet]

US – Verizon-AOL Deal Raises Privacy Concerns

News that Verizon will purchase AOL for $4.4 billion has some privacy advocates concerned the move could give the company more personal information of customers for tailored advertising. In a note to investors, a telecom-industry analyst said, “We can envision a scenario in which Verizon leverages AOL’s ad-tech platform to target consumers and measure their engagement across traditional and digital video and measure and deliver interaction across its multiple devices, platforms and properties.” Public Knowledge Senior Vice President Harold Feld said “it raises extremely substantial and urgent privacy concerns.” Stanford University’s Johnathan Mayer said, “With this acquisition, Verizon appears to be tearing down the wall between telecommunications and personalized advertising.” [National Journal]

US – Facebook Privacy Team Restructure Has Washington Focus

Revisions in Facebook’s privacy team highlight its newfound interest in Washington, DC, as the corporation brings on former FCC Director Kevin Martin, while transferring current Facebook Chief Privacy Officer Erin Egan to serve as vice president of public policy in its Washington, DC, headquarters. “Facebook has become a major player in Washington in the past few years. The company spent more than $9 million on lobbying last year, ranking only behind Google when compared to other Internet companies, according to the Center for Responsive Politics.” [The HIll]

US – CPOs Increasingly Hired, Especially in Higher Education

Historically, the CPO was more likely to be found in the private sector rather than in higher education. But in the last few years, colleges and universities have begun hiring a growing number of CPOs because of data security and protection on campus. University of California, Berkeley CPO Lisa Ho says the “CPO role is expanding beyond the realm of preventing data breaches to represent a fundamental institutional value and priority.” She said as universities continue to face pressing privacy issues, CPOs will be called on to help balance an institution’s “multiple priorities, obligations and values.” [EDUCAUSE]

US – Apple, AT&T Object to RadioShack Sale of PII

Apple and AT&T have both formally objected to the potential sale of customer data as part of the RadioShack bankruptcy case. “In order to protect its customers’ personal information, Apple oversees the collection and use of customer information collected by its retail partners, including RadioShack,” Apple said in papers filed to a Delaware bankruptcy court, adding, “The reseller agreement between Apple and RadioShack protects information collected by RadioShack regarding purchasers of Apple products and prohibits the proposed sale of such information.” AT&T also filed an objection, noting a debtor “seemingly intends” to include consumer data acquired by selling AT&T devices, the report states. Meanwhile, a federal court ruled that Birch Communications does not have to hand over customer data to a copyright litigant. [Law360]

US – DoJ Issues Guidance and Best Practices for Cyber Incident Response

The Department of Justice (“DoJ”) guidance provides the following recommendations on measures to take in advance of any cyber intrusion or attack, with an eye toward minimizing the harm that could result from such an attack and the steps that an organization should take in responding to a cyber security incident. [Inside Privacy] …the guidance [also] sets out what companies should not do in the event of a cyberattack. A key warning here is that businesses should not “hack-back” or attempt to penetrate or damage an attacker’s systems. This warning is well taken—penetrating another system, even one believed to be involved in maliciously compromising a network, may expose individuals or business to criminal liability under the Federal Computer Fraud and Abuse Act, or to civil damages and penalties. [Breaking Down the DOJ Cybersecurity Unit’s Guidance on Responding to Cyberattacks]

US – The Rise of the Chief Data Officer is Upon Us

The rise of chief data officers (CDO), a reflection of “the central role that data now plays in every facet of society,” states a 2015 study from IBM’s Center for Applied Insights that surveyed 250 chief information officers from large organizations found that 61% wanted their employers to recruit CDOs in the next year. “The emergence of chief data officers at major agencies and departments is a promising sign that the federal government continues to execute on President Obama’s open data vision and his 2013 executive order,” said Nick Sinai, former deputy U.S. chief technology officer. [TechRepublic]

US – NY Assemblyman Wants DMV to Ask Permission Before Selling Data

A routine transaction at New York’s Department of Motor Vehicles in which drivers’ personal information is sold after they get their licenses or register their vehicles. The state sells the information to insurance companies, courts and employers who need to verify driving records—and also so drivers can be notified of recalls—and says strict rules govern how much data is provided and who may obtain it. But Assemblyman Kevin Cahill (R-Kingston) disagrees with the practice and is sponsoring a bill that would let drivers decide whether the data is sold. “You have to register your car, but you shouldn’t have to give away your information,” he said. [CBS2]

US – VCs: Data Privacy Affects Valuation, Ability to Raise Capital

Conventional wisdom says privacy isn’t in Silicon Valley’s DNA. Rather, it’s come up with a use for the data first, ask questions about whether you can actually use it later. But that’s changing. Venture capitalists (VCs) are now making data privacy a core part of doing due diligence; corporate boards are now asking privacy questions more frequently of young start-up ventures, and privacy-enhancing technology is a booming area for VC investment. Sam Pfeifle talks with investors and start-up founders about the new era of data privacy in start-up culture, where a good privacy program can affect everything from the initial capital raise to the exit strategy. [Privacy Advisor]

US – Commissioners Call FCC’s Privacy Approach “Prehistoric”

Two commissioners from the Federal Communications Commission (FCC) have said the agency’s approach to consumer broadband privacy is “prehistoric.” Federal Communications Commissioners Michael O’Rielly and Ajit Pai expressed their concerns about the potential rulemaking for how Internet service providers process consumer data in light of the recent net neutrality order. In discussing last month’s FCC workshop on broadband privacy, Pai said, “One of the takeaways I had … is nobody knows where we go from here … That is almost the very definition of regulatory uncertainty.” O’Rielly said, “I believe we are heading in a bad direction on privacy, and it will be bad for consumers going forward.” [Law 360] See also: Group Aims to Relax FCC Authority: The 21st Century Privacy Coalition, led by former Congresswoman Mary Bono and former FTC Chairman Jon Leibowitz, is lobbying Congress to pass the Data Security and Breach Notification Act. [National Journal ]

US – Former Investigator: Triversa Falsified Findings in LabMD Case

A former Triversa employee says the firm faked LabMD breach findings in order to provoke Federal Trade Commission (FTC) action against the cancer testing center. LabMD, which eventually closed its operations, faced a complaint by the FTC in 2013 over its data security practices. The complaint was based on breach information provided by Triversa; however, some—including a congressman—alleged that information was suspect. Now, a former Triversa investigator, Richard Wallace, indicated the company “routinely” and “deliberately” falsified security problems in an effort to pull in customers, the report states, and then threatened to report “breaches” to regulators if companies didn’t buy Triversa’s services. [SC Magazine]

US – Bombshell Testimony in FTC’s LabMD Case Breach Allegations

Wallace also testified that Tiversa had a “common practice” in attempting to drum up business of making it appear that other prospective clients’ data files were compromised on peer-to-peer networks and “spread” among IP addresses of known identity thieves. Those IP addresses, however, were actually for computers in criminal investigations that were already closed by law enforcement, and added to the Tiversa’s “data store” of records, Wallace testified. [GovInfoSecurity] [FTC] [GovInfoSecurity: FTC’s LabMD Case: The Next Steps Commission Won’t Call Rebuttal Witness] [SC Magazine: Former Tiversa Investigator Says Firm Faked Labmd Breach Findings] [CNN: Whistleblower Accuses Cybersecurity Company of Extorting Clients] [Law360: FTC Responds to LabMD Motion to Dismiss]

US – Google’s $8.5 Million Privacy Settlement Faces Appeal

Theodore Frank, founder of the Washington-based Center for Class Action Fairness questioned the choice of nonprofits slated to receive funds, arguing that some of them had relationships with Google as well as the lawyers representing the consumers. He pointed out that two of the plaintiffs’ lawyers were alumni of three schools slated to receive funds (Stanford, Harvard and Chicago-Kent College of Law) and that Google already donates money to Harvard, Stanford, AARP and Chicago-Kent. U.S. District Court Judge Edward Davila reportedly indicated that he was troubled by some of those points, saying at a hearing that the deal “doesn’t pass the smell test.” [MediaPost]

US – E-Verify in the States

E-Verify mandates vary considerably across states. Currently, Alabama, Arizona, Mississippi and South Carolina have across the board mandates for all employers. The state governments of Georgia, Utah, and North Carolina force all businesses with at least 10, 15, and 25 employees, respectively, to use E-Verify. Florida, Indiana, Missouri, Nebraska, Oklahoma, Pennsylvania and Texas mandate-Verify for public employees and state contractors, while Idaho and Virginia mandate E-Verify for public employees. The remaining states either have no state-wide mandates or, in the case of California, limit how E-Verify can be used by employers. [CATO]

US – Watchdog Attacks Airbnb ‘Unwarranted Intrusion Into Users’ Privacy’

Santa Monica-based Consumer Watchdog released a letter it sent to ShareBetter SF, a coalition of San Francisco groups that is hoping to qualify a city ballot initiative to impose stricter regulations and penalties on online short term rental platforms. Airbnb has raised similar concerns. “As written, your initiative is an unwarranted intrusion into users’ privacy and inappropriately requires the home sharing platform to do the enforcement work that should rightfully be done by the city,” the letter states, calling the initiative “antithetical to San Francisco’s core values.” …”It’s just a crazy blunt approach that is uncalled for,” Simpson said. [Source]

US – 147 Drone-related Bills in State Legislatures

More than a dozen states regulate when and whether a warrant is required before police use a drone to gather evidence, according to the ACLU. This year, 44 states are considering another 147 drone-related bills. Drone enthusiasts say the regulations are misguided and that their actions are misinterpreted by a nervous public unfamiliar with the technology and its promise. States already protect citizens against Peeping Toms regardless of the technology involved, said Brendan Schulman, an attorney who specializes in drones at Kramer Levin Naftalis and Frankel in New York. [Bloomberg] The Data Quality Campaign offers an update on U.S. federal and state student privacy bills, including the updated Student Digital Privacy and Parental Rights Act of 2015 and new bills in North Dakota and Virginia.

US – U.S. Senate Panel Raises Privacy Concerns in White House Hacking Incident

“Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise,” the committee chairman, John Thune, said in a statement on Sunday accompanying the letter. “If such information has been lost, the White House still has a responsibility to victims even if it believes the hack was perpetrated by foreign spies and not cyber thieves,” Thune added. [Reuters]

US – Social Media Giants Not Privacy Monsters: Deloitte Report

“Social media gets a bad rap in the media around most things, and privacy settings and policy changes in particular. But in reality they performed quite well in terms of informing consumers about exactly what they are doing, what they are collecting, and how consumers can best protect themselves,” said Deloitte’s cyber risk expert Marta​ Ganko​. The researchers were also surprised that social media out-performed 10 other industries, including government, health and fitness, and technology, when it came to having robust online privacy policies and limited use of data-raking cookies. Social media had the shortest average duration for a third-party cookie stored on a user’s device, while the telecommunication and retail industries, ranked eighth and 11th, both had a third-party cookie which could be stored on a device for more than 135 years. Cookies usually last about two years. [Report]

US – FTC Names Katherine Race Brin CPO

The FTC has appointed Katherine Race Brin as its new chief privacy officer (CPO) to succeed Peter Miller. “Katie has served as acting CPO since December 2014,” said FTC Chairwoman Edith Ramirez, adding, “it’s an important role, and I look forward to continuing to work with her to ensure that the FTC complies with our privacy obligations.” Brin has served as senior advisor to the director of the FTC’s Bureau of Consumer Protection and as staff attorney in the Division of Privacy and Identity Protection. [Full Story]

US – Felten Named Deputy U.S. CTO

The White House’s Office of Science and Technology Policy has announced Ed Felten as its deputy U.S. chief technology officer. Felten currently teaches at Princeton University and was the first chief technologist at the FTC. “There is no one more valuable to bridging tech and policy than Ed,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. [Source]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Mobile App Unveils Unencrypted Data

Researchers are now offering a new free online tool that shows users when transmitted data is not encrypted. Datapp, created by researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which so far is only compatible with Windows 7 or 8, acts as a consumer-friendly web traffic “sniffer,” normally something that requires some technical expertise. “Think of it as Wireshark (a network traffic-analysis tool) with an access point for dummies,” said UNHcFREG Director Ibrahim Baggili. He also said UNHcFREG created the tool without outside funding but is accepting donations in order to add more features. [IDG News Service]

US – FTC’s Sannappa on API Design’s Critical Role in Privacy

In a blog post for Tech@FTC, Nithan Sannappa of the FTC’s Division of Privacy and Identity Protection discusses privacy and security in mobile computing—specifically, the “principle of least privilege” and “sandboxing.” Sandboxing, Sannappa writes, “is an implementation of the principle of least privilege,” which recommends “every program and every user of the system should operate using the least set of privileges necessary to complete the job.” While most mobile operating systems feature sandboxing, the approach varies based on application programming interface (API) design. “Decisions about how to design APIs … play a critical role” in user privacy and security, Sannappa writes. [Source]

WW – Wave of Privacy-Enhancing Start-Ups Fail To Deliver

Violet Blue examines a wave of start-ups, their move to raise money from investors interested in privacy-enhancing technology (PET) and, to date, their failure to deliver those promises. The list includes Anonabox, which promised to put TOR in a router, raising $82,643 before being ejected from Kickstarter; iGuardian (now SHIELD), raising $174,382 without delivering as of yet; Webcloak, and LogMeOnce. “Despite debunkings,” Blue writes, “these ‘magic box’ charlatans keep coming; people keep funding them, and crowdfunding sites don’t seem well-equipped to stop them.” To pile on, a slew of “green” security reporters “are easily duped” into believing such PETs claims. Blue concludes by providing a cheat sheet for nontechnical individuals who come across others making bold PET claims. [ZDNet]

US – Wickr Announces Privacy Initiative

Online private-messaging service Wickr has announced it is splitting in two. Mark Fields will take over as chief executive of the for-profit wing, allowing Wickr Cofounder Nico Sell to lead its new nonprofit initiative. The Wickr Foundation aims to promote privacy and share online communication best practices with teenagers, dissidents, journalists and human rights activists. Fields said he plans to bring Wickr’s core technology to more businesses, the report states.

US – Judge Says Airport Laptop Search “Unreasonable”

A US federal judge in the District of Columbia has ruled that a laptop search conducted at Los Angeles International Airport violated the laptop owner’s constitutional privacy protections. The ruling allows the defendant, a South Korean businessman, to suppress evidence collected from his computer. He has been accused of selling aircraft parts to Iran. [Ars Technica] [ZDNet]

US – AVG Acquires Privax

AVG Technologies has acquired Privax , which currently has 250,000 paying subscribers who use its encrypted VPN service. AVG CEO Gary Kovacs said, “With this acquisition, we will immediately be able to provide new and innovative privacy and security services to hundreds of millions of users worldwide.” [Full Story ]

US – SEC Publishes Cybersecurity Guidance

The Securities and Exchange Commission (SEC) Division of Investment Management has published a guidance update setting forth cybersecurity concerns and advice for the investment companies and advisers it regulates. The SEC specifically suggests conducting a periodic assessment of the nature, sensitivity and location of information collected and the security controls and processes in place, and recommends creating and implementing a comprehensive strategy to prevent, detect and respond to cybersecurity threats, the report states, noting the strategy could include data encryption, an incident-response plan and data backup and retrieval. The SEC recommends implementing the cybersecurity strategy “through written policies and procedures and training programs,” the report states. [JD Supra]

Remote Identification

WW – Vehicle “Fitness Tracker” Start-Up Raises $5 Million

Automile, a Swedish start-up that offers a device and platform that connects users’ cars to the cloud, has closed a $5 million Series A round. “The device itself features GPS for location tracking and GSM for data connectivity, which is included as part of the service’s subscription fee,” the report states. It’s kind of like a fitness tracker for your car, the report states, allowing users to track mileage and fuel consumption or spot potential mechanical issues. The company plans to offer an application programming interface so third-party developers can develop new applications “in the areas of fleet management, logistics, insurance or in entirely new markets,” the report states. [TechCrunch]


US – DHS Certifies First SAFTEY Act Cyber Product

The U.S. Department of Homeland Security (DHS) has certified the first-ever cybersecurity products under the SAFETY Act. The post-9/11 program offers certain liability protection to organizations that use approved cybersecurity products to defend their data. In its move, the DHS certified FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform, meaning, companies who use these products will be protected from lawsuits and other claims they failed to prevent cyberterrorism. FireEye CEO David DeWalt said, “FireEye is proud to earn this first-ever SAFETY Act certification in the cybersecurity space, bringing a new level of liability protection for our customers.” [The Hill]

Smart Cards

US – Orgs Sign On to IBM’s Threat Exchange Network

IBM has announced that more than 1,000 organizations across 16 industries are participating in its X-Force Exchange threat intelligence network. The network was launched a month ago and provides open access to historical and real-time data feeds of threat intelligence in an effort to thwart cybercrime. [Full Story]

WW – EMV Cards Making Way into U.S. Market, Concerns Remain

In the wake of massive data breaches affecting major retailers, the move to credit cards with chips using so-called EMV technology is underway, but, unlike Europe, many EMV-enabled cards in the U.S. are chip-and-signature cards instead of the more secure chip-and-PIN cards. A representative from Visa said the majority of card issuers in the U.S. are opting for the more familiar signature verification step for now “to keep the consumer experience as consistent as possible.” However, the use of signature over PIN is frustrating a number of retailers and other merchants. The National Retail Federation’s Mallory Duncan said, “It means that merchants will be spending billions of dollars and see they get very little benefit from this investment.” Significantly, a new Ponemon study reveals that a majority in the payment ecosystem don’t believe the switch to chip-and-PIN will improve consumer data security. [The Washington Post]


US – N.S.A. Collection of Bulk Call Data Is Ruled Illegal

In a 97-page ruling, a three-judge panel for the United States Court of Appeals for the Second Circuit held that a provision of the U.S.A. Patriot Act, known as Section 215, cannot be legitimately interpreted to allow the bulk collection of domestic calling records. The provision of the act used to justify the bulk data program is to expire June 1, and the ruling is certain to increase tension that has been building in Congress. [New York Times] . [WashPost: NSA Program on Phone Records Is Illegal, Court Rules] [US – N.S.A. Ruling Divides Republican Candidates] [Jim Harper – The Implications of Court’s NSA Ruling Assessing Order Declaring NSA Bulk Collection Program Illegal] [Wired: Court Rules NSA Bulk Data Collection Was Never Authorized by Congress] …perhaps the most important message the unanimous decision sends is a simple one: Congress could not have intended to approve a program whose true scope almost no one outside the National Security Agency fully comprehended — that is, until Edward Snowden leaked its details to the world. …In fighting this lawsuit, brought by the ACLU immediately after the Snowden leaks, the government argued that Congress was apparently fine with this alarmingly broad interpretation. The problem, as Judge Gerard Lynch of the Second Circuit Court of Appeals rightly pointed out in his 97-page opinion, is that “it is a far stretch to say that Congress was aware” of what the intelligence court was doing. To the contrary, Judge Lynch wrote, “knowledge of the program was intentionally kept to a minimum, both within Congress and among the public,” and there was “no opportunity for broad discussion” about whether the court’s interpretation was correct. Allowing the government to define “relevant” so loosely, he said, “would be an unprecedented contraction of the privacy expectations of all Americans.” [New York Times: The Illegal Phone-Data Sweeps] Court Ruling on N.S.A.’s Data Collection Jolts Both Defenders and Reformers …the Senate’s most ardent civil libertarians say that legislation has now been supplanted by the court’s ruling. Mr. Paul said Friday that he would press to ban the collection of phone records altogether. And Senator Ron Wyden, Democrat of Oregon, said he would filibuster efforts by Mr. McConnell to extend the government’s current collection authority beyond its May 31 expiration. …”I will filibuster any effort to have a short-term extension of the Patriot Act if there are not major reforms, specifically getting rid of the federal human relations database, also known as bulk phone records collection,” Mr. Wyden said Friday. “I believe I can also find other members to join me in it.” [NYTimes] Is the NSA’s Big Data Program Authorized? Key Quotes from a Major Court Ruling “We conclude that to allow the government to collect phone records only because they may become relevant to a possible authorized investigation in the future fails even the permissive ‘relevance’ test. Just as ‘the grand jury’s subpoena power is not unlimited, § 215’s power cannot be interpreted in a way that defies any meaningful limit. Put another way, we agree with appellants that the government’s argument is ‘irreconcilable with the statute’s plain text.’ Such a monumental shift in our approach to combating terrorism requires a clearer signal from Congress than a recycling of oft‐used language long held in similar contexts to mean something far narrower.” [Source]

US – Skynet: NSA’s Surveillance Program Analyses Phone Records

Another top secret presentation from June 2012 explains that Skynet works by analysing the target’s travel patterns – including which locations they have visited in a given timeframe and how often they have returned to the location. The program also analyses the target’s behaviour, based on how they use their mobile phone, and attributes such as swapping SIM cards and handsets repeatedly, as well as constantly turning the phone off, are flagged up in the system. Skynet also analyses data collected by the NSA into people around the target who might be travelling with them or have similar travel plans, as well as whether they have contacts in common. [Source] [It’s Time to End Orwellian Surveillance of Every American] [“Skynet” is real, and it could flag you as a terrorist If you visit airports or swap SIM cards often, you might be flagged by “Skynet“]

US – FAA Teams With Private Companies on Drone Tests

The Federal Aviation Administration (FAA) and three private companies announced plans to test an undisclosed number of commercial drones. Teaming up with CNN, PrecisionHawk and BNSF Railroad, the FAA will test drones while they gather news, survey crops and inspect railroads. “There will be a host of beneficial uses of drones that will benefit the public tremendously,” said the Center for Democracy & Technology’s Harley Geiger. “But with the pace of the technology’s improvement, it’s important to establish privacy rules now.” In February, the FAA said privacy was “beyond the scope” of its role as safety regulator. [BuzzFeed] [Drone, Data X: FAA Aims to Finalize Rules in Less Than 16 Months]

US – Researchers Find Android Apps Sharing Tracking Data

A security team has found that thousands of free Android apps are sharing user data by connecting with advertising and tracking sites without users’ knowledge. As detailed in a report from MIT Technology Review, Luigi Vigneri and his team created an automatic method to scan apps and used more than 2,000 free Android apps in their research. In some cases, a single app connected to 2,000 unique URLs, the report states. The team reportedly has a potential solution on the way called NoSuchApp that will monitor which URLs Android apps could be sharing tracking data with, the report states. [Slash Gear]

US – Drone Use Prompts Thorny Legal Questions on Airspace Ownership

Murky questions exist around commercial airspace and jurisdiction as unmanned aerial vehicle (UAV) use continues to rise. State and local police say complaints by citizens are soaring. International Association of Chiefs of Police President Richard Beary said, “We’ve never been responsible for airspace before. We understand the ground game; now all of a sudden you want state and local police to regulate airspace?” Plus, UAVs are flooding airspace below 500 feet, prompting privacy concerns. One Massachusetts town is declaring that property owners control the airspace 500 feet above their properties, citing a 1946 Supreme Court decision. The case—where does “navigable airspace” begin and property ownership end—now poses a dilemma for regulators and the UAV industry. [The Wall Street Journal]

CN – Chinese Drone Maker Becoming Global Industry Leader

Accel Partners has invested $75 million in Chinese drone developer DJI, helping make it “one of the leaders in the burgeoning civilian market for drones.” The investment comes amidst struggles to regulate unmanned aerial vehicles, particularly for safety and privacy reasons. Accel Partner Sameer Gandhi said, “The size of our investment really shows how big we think the opportunity can become … For one of the first times, you’re seeing an international company, a Chinese company, being the innovator and frankly leapfrogging all activity in other parts of the world and truly being the company everyone is chasing from an innovation point of view.” According to Forbes , DJI is on track to exceed $1 billion in sales this year alone. [New York Times]

Telecom / TV

US – Court Reverses Landmark Cell-Phone Privacy Decision

A U.S. Circuit court has reversed a landmark privacy decision. Last year, the court ruled against the government in a case involving Quartavious Davis, whose cell phone was tracked by police as he went on a crime spree. But in a decision published Tuesday, a panel of 11th Circuit Court judges overturned the ruling in U.S. v. Davis. The new ruling says that because Davis’s phone location data wasn’t his property but that of the phone carrier, he had no expectation of privacy and the police who were tracking him didn’t need a warrant. “It’s a huge setback as compared to the decision it vacated,” said one law professor. [Wired]

US – Appeals Court Overturns Privacy Win in Phone-Tracking Case

Two judges disagreed with the majority on the constitutional question, including Judge Beverly B. Martin who wrote a dissenting opinion arguing that the Fourth Amendment required the government to get a warrant before accessing the cell site location data. “The judiciary must not allow the ubiquity of technology—which threatens to cause greater and greater intrusions into our private lives—to erode our constitutional protections,” she wrote. [Source]

US – Court’s Reversal Leaves Phones Open to Warrantless Tracking

The 11th circuit’s reversal on Davis leaves the question of warrantless phone tracking in limbo. Several state courts have ruled that the practice is unconstitutional, including Massachusetts, New Jersey and Florida, while some higher courts now seem to allow it. “It’s a hodgepodge,” says Electronic Frontier Foundation civil liberties lawyer Hanni Fakhoury. “What does all this mean for someone who lives in Florida? One court has said yes and one has said no. That’s problematic.” [Wired]

US – DOJ Reviewing Use of Stingrays, Aiming for More Transparency

The Department of Justice (DOJ) has begun a review of the secretive use of Stingrays, or cell-phone surveillance technology that mimics cell-phone towers. Stingrays trick mobile phones into believing they are communicating with legitimate cell-phone towers while harvesting data from the phones including identity, location and phone content, the report states. The FBI for years used the technology without warrants. But senior government officials have said they want to be more open about the surveillance, though the DOJ hasn’t revealed what that will look like yet in terms of how little or how much it shares. [PCWorld] [ComputerWorld] [SC Magazine] [Ars Technica]

US – Trade Groups: FCC Reclassification Unfair for Broadband Providers

A coalition of industry trade groups argues in court papers that the FCC’s move to reclassify broadband as a utility will place “immense burdens and costs” on Internet service providers. “The order represents a sharp about-face in which a federal agency … has arrogated to itself breathtaking authority over the most transformative technology in living memory,” stated the coalition, which includes the USTelecom Association, CTIA-The Wireless Association, the Wireless Internet Service Providers Association, the American Cable Association, the National Cable & Telecommunications Association, AT&T and CenturyLink. “It has done so by subjecting broadband Internet access service to a regime that was originally designed, not for the era of social networking and streaming video but for 19th century railroads.” [MediaPost]

US Government Programs

US – Federal Court Rules NSA Bulk Surveillance Illegal

The Court of Appeals for the Second Circuit ruled today that the bulk collection of phone metadata by the NSA is illegal. Instead of looking at the constitutionality of the program, the court ruled it went beyond the scope of what Congress intended when it passed the USA PATRIOT Act. The 97-page ruling concluded that a provision of the law allowing the Federal Bureau of Investigation to collect business records relevant to combating terrorism cannot legitimately lead to bulk surveillance of domestic phone records, the report states. “We do so comfortably in the full understanding that if Congress chooses to authorize such a far-reaching and unprecedented program, it has every opportunity to do so and to do so unambiguously,” the judges wrote. [The New York Times] Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act: A US Federal Appeals Court has found the NSA’s wholesale collection of cellphone communication metadata to be illegal. The court did not address the constitutionality of the practice, but instead said that the scope of the operation exceeds what Congress authorized in section 215 of the Patriot Act, which was passed in the wake of the September 11, 2001 attacks. The original case was brought by the American Civil Liberties Union (ACLU) and was dismissed by a lower court in 2013. [Wired] [Ars Technica] [Ars Technica]

NSA Bulk Surveillance Program Likely Heading to SCOTUS

The recent Second Circuit Court of Appeals ruling that the NSA bulk phone records collection program is illegal “raised constitutional questions likely to be answered by the Supreme Court.” The ACLU’s Patrick Toomey said, “Given the amount of metadata that Americans create everyday … I think it’s very likely that the status of the third-party doctrine ends up before the Supreme Court again sometime soon, whether through one of these cases or another.” National Whistleblowers Center Executive Director Stephen Kohn said Thursday’s NSA decision justified the actions of Edward Snowden and highlighted “the importance of whistleblowing.” Meanwhile, a column in TIME describes the ruling as “a victory for privacy.” [The Hill]

US – Cybercriminals Targeting Healthcare Data

According a new study on Privacy and Security of Healthcare Data, criminal attacks have now passed insider negligence as the main cause of data loss and theft in the healthcare industry, which is not well prepared. With “some exceptions, … healthcare providers either lack the resources, staff, or technical innovations to meet the changing cyber-threat environment.” Half of the healthcare organizations surveyed said they had “little or no confidence” that they would be able to detect every data loss or theft. And nearly two-thirds of healthcare providers and affiliated businesses offer no protection services for patients whose data are stolen. [Dark Reading] [NBC News]

US – What You Need to Know About Educational Software

Research released in January shows that educational applications are the second most popular category in the Apple App Store, comprising just over 10% of all app downloads. This indicates a tremendous interest in learning applications across a wide, technically savvy—and growing—demographic. But a lack of regulations and guidelines means privacy isn’t always a priority. “The topic will likely take its place as a top-level priority this year as parents, educators and administrators take greater notice of the potential issues coming down the road,” Goodman writes. [The Privacy Advisor]

US Legislation

US – House Passes USA Freedom Act to Curb NSA Spying

Civil liberties groups like the Electronic Frontier Foundation and others are divided in their support of the bill. Many say it’s better than nothing, but hope that the Senate will add wording to strengthen protections before passage. EFF had supported the legislation until last week when a federal appeals court ruled that the bulk collection of phone data is illegal. In that decision, the Second Circuit Court of Appeals found that the collection of Americans’ phone metadata was never authorized by Section 215 of the Patriot Act, as the intelligence community had insisted. EFF has now said that the ruling should embolden the Senate to roll back the bill to a previous 2013 version that provides stronger reforms. [Wired]

US – McCaul: USA PATRIOT Act Will Get Privacy Protections

House Homeland Security Chairman Mike McCaul (R-TX) says the USA PATRIOT Act, set to expire June 1, will be renewed by Congress with more privacy protections. The act would “stop metadata collection by the National Security Agency … and put it back in the hands of telephone carriers,” the report states. “I think that’s where you’re going to see Congress headed towards, and the courts have certainly gone in that direction,” said McCaul. Meanwhile, following the court ruling last week declaring the practice illegal, Senate Intelligence Committee Chairman Richard Burr (R-NC) has defended the federal government’s bulk phone-recorded collection saying it’s “very effective at keeping America safe.” [Newsmax]

US – Legislators Introduce Bill to Protect Student Privacy

After a 2013 Fordham University study unveiled that nearly 95% of schools were employing cloud services to manage students’ data, legislators are attempting to ensure its protection. The Hatch-Markey Bill aims to force the hand of educational intuitions to not only alert students and their families that their data is being handled by third parties, but also prohibit schools from selling said data as, per the Fordham study, only 7% of universities take these steps themselves. “Data analysis holds promise for increasing student achievement, but it also holds peril from a privacy perspective. A child’s educational record should not be sold as a product on the open market,” said Sen. Ed Markey (D-MA). [The Hill]

US – Senators Introduce Drone Bill

Two senators have introduced a bill that aims to establish temporary rules to regulate and manage the nascent commercial drone industry, Forbes reports. Sen. Cory Booker (D-NJ) and Sen. John Hoeven (R-ND) introduced the Commercial UAS Modernization Act, which would set guidelines for unmanned aircrafts systems. Commercial use of such aircrafts is currently banned by the Federal Aviation Administration, though businesses may apply for exemptions to operate UAS on a case-by-case basis. Booker said he introduced the bill to prevent the U.S. from falling behind other countries because of a lack of rules. [Source]

US – Illinois Data Breach Bill Opposed by Ad Industry

New state data breach legislation in Illinois is being opposed by the ad industry. In a letter to state lawmakers, the Association of National Advertisers, together with other groups—including the Direct Marketing Association, Interactive Advertising Bureau, American Advertising Federation, American Association of Advertising Agencies, Acxiom and Epsilon—said that Illinois Senate Bill 1833 would create “unnecessary compliance burdens” for businesses. The proposed legislation would require businesses to notify customers if a breach exposed financial and geolocation data. The bill has already passed the state senate and will be taken up by a house committee on Wednesday. Illinois Attorney General Lisa Madigan backs the proposed legislation. [MediaPost]

US – Washington Limits Stingray Surveillance in Unanimous ‘Pro-Privacy’ Law

Governor Jay Inslee, a Democrat, added his signature to HB 1440 this week, authorizing a law that effective immediately requires police officers to obtain search warrants before deploying “cell site simulators,” or devices that mimic the behavior of mobile phone towers. []

US – Georgia Passes Student Data Privacy, Accessibility and Transparency Act

Pundits are calling the state’s new student data privacy law the most comprehensive in the nation. The state is required by the act to develop a data security plan that will keep student data as safe as possible. Technology vendors working with schools will be required to develop security procedures and prohibited from selling personal information about students to advertisers or anyone else. [GovTech]

US – Other Privacy Legislation

  • The White House has given its support to a bill proposed by Reps. Luke Messer (R-IN) and Jared Polis (D-CO). The Student Digital Privacy and Parental Rights Act “would bar school technology vendors from selling student information to third parties or from creating student profiles for noneducational purposes.”
  • Oman’s draft information protection law seeks to “make it mandatory for government and private institutions to take necessary steps to protect data they collect about citizens and individuals for official and other purposes.”

Workplace Privacy

US – Woman Fired for Turning Off 24-hour Tracking App

A California woman’s lawsuit in which she claims she was fired for turning off a tracking app installed on her employer-issued iPhone. Myrna Arias said she was fired shortly after she told her boss she was turning off the Xora app that she and her coworkers were required to use. Arias said her boss “admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone.” Arias said it was an invasion of her privacy during off hours, likening it “to a prisoner’s ankle bracelet,” the suit states. Arias now seeks $500,000 for invasion of privacy, retaliation and unfair business practices, among others. [Ars Technica]


01-15 March 2015


US – Facial-Recognition Software Raises Privacy Concerns

New software is being implemented by Rutgers University for students taking an online course to track students’ facial identity, photo ID and browser activity. The ProctorTrack software suite records face, knuckle and personal identification details during the online courses and “keeps track of all activity in the monitor, browser, webcam and microphone” during each session. [The Daily Targum]

US – Privacy Advocates Launch Petition Against Voice-Activated Barbie

Children’s privacy advocacy organizations are trying to stop the production and release of a new voice-activated Barbie doll. The Internet-connected “Hello Barbie” can record and analyze speech and “listen and learn each girl’s preferences and then adapt to those accordingly.” The Campaign for a Commercial-Free Childhood has launched a petition to prevent the doll from hitting stores. “If I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed,” said Angela Campbell, adding, “In Mattel’s demo, Barbie asks many questions that would elicit a great deal of information about a child, her interests and her family.” [The Washington Post]

Big Data

EU – Report: Privacy is a Global Issue of Economic Justice

Data Justice has issued a new report indicating companies’ control of personal information “is not just an issue of privacy but is becoming a critical issue of economic justice.” Data Justice Director Nathan Newman writes, “This steady loss of data by individuals into the hands of increasingly centralized corporate hands is helping drive a large portion of the economic inequality that has become central to the political debate in our nation.” The report proposes steps “to making big data work for everyone”—including requiring explicit consent and better informing users of how data is being used and how companies profit from it. [Huffington Post]

US – Universities Form Alliance to Manage Big Data

Aiming to better manage big data in healthcare, the University of Pittsburgh Medical Center, the University of Pittsburgh and Carnegie Mellon University have teamed up to form the Pittsburgh Health Data Alliance. The three organizations are hoping to integrate data from electronic health records, wearables, diagnostic imaging and other sources more seamlessly. Through the Pittsburgh Health Data Alliance, “the three institutions also hope to create and advance technologies around ‘data-heavy’ healthcare innovation, perhaps resulting in spin-off companies that could boost economic activity around the burgeoning data and digital health sectors.” [MedCity]

US – Interview: White House’s First Chief Data Scientist

The White House has named former PayPal and eBay executive DJ Patil as the nation’s first chief data scientist. As well as helping the government make the most of the data it holds, Patil said the government’s role in making sure data is used properly and helping citizens get access to data. He described his office’s purpose as ensuring “responsible use of data for the good of all citizens.” Patil’s immediate projects include analyzing the ways people use government websites and Precision Medicine, a longitudinal health study that aims to find patterns between lifestyle factors and genetic predispositions. [The Wall Street Journal] [Big Data: A Brief(ish) History Everyone Should Read] [Big Data’s Dark Side ]


CA – Canada’s “AntiTerrorism” Bill C-51

A Legal Primer: Expands the Powers of Canada’s Spy Agency, Allows Arrest on Mere Suspicion. Overly broad and unnecessary anti-terrorism reforms could criminalize free speech. Bill C-51,the Anti-Terrorism Act, 2015, would expand the powers of Canada’s spy agency, allow Canadians to be arrested on mere suspicion of future criminal activity, allow the Minister of Public Safety to add Canadians to a “no-fly list” with illusory rights of judicial review, and, perhaps most alarmingly, create a new speech-related criminal offence of “promoting” or “advocating” terrorism. These proposed laws are misguided, and many of them are likely also unconstitutional. The bill ought to be rejected as a whole. Repair is impossible. [Source] SEE ALSO: [Bill C-51 for Dummies: What you should know: Explaining the Tories’ controversial anti-terror legislation: Canada’s privacy commissioner Daniel Therrien has warned, in particular, about the information-sharing aspect of C-51. Therrien won’t be appearing in front of the House of Commons committee that is currently studying the bill, although both the NDP and Liberals requested that he do so.] | [Proposed CSIS powers a ‘constitutional mess,’ former watchdog warns: New anti-terror bill comes under heavy criticism during opening round of testimony. Ron Atkey, who served as the first chair of the Security Information Review Committee (SIRC), warned that provisions allowing CSIS agents to ask the federal court to authorize activities that could breach charter rights will almost certainly be struck down by the courts.] | [Bill C-51: Privacy watchdog Daniel Therrien blocked from committee witness list: Conservatives rebuff NDP attempt to add privacy commissioner to committee witness panel. Privacy Commissioner Daniel Therrien provided a written submission to the Commons committee reviewing the new anti-terrorism legislation, but efforts to add him to the witness list were blocked by Conservative committee members.] | [First Nations vow legal challenge of anti-terror bill: “We want the whole bill gone,” AFN National Chief Perry Bellegarde told reporters after testifying at a turbulent House of Commons committee on the proposed omnibus bill, which would give extraordinary powers to federal spies, government departments and the RCMP to thwart national security threats. The authorization to launch a Supreme Court challenge would first need the permission of AFN chiefs.] | [Aboriginal leaders fear anti-terror bill gives licence to target them as ‘terrorists in our own territories’: “We don’t want to be labelled as terrorists in our own territories, our own homelands, for standing up to protect the land and waters,” Assembly of First Nations national chief Perry Bellegarde told the House of Commons public safety committee. Public Safety Minister Steven Blaney told the committee earlier this week such concerns were ridiculous, saying the legislation is not intended to capture minor violations committed during legitimate protests.] | [Bill C-51: Blaney, MacKay questioned on anti-terror bill fine print: Justice Minister Peter MacKay, RCMP commissioner and CSIS director appear before committee. During his opening statement, Blaney highlighted the “key misconceptions” that he said had been put forward by members of the opposition and “so-called experts”: the claim that “legitimate protest” could be treated as potential terrorist threats, which he called “completely false, and frankly ridiculous.” …Before witness testimony got underway, Garrison tried to get unanimous consent from his committee colleagues to sit for an extra hour in order to hear from Privacy Commissioner Daniel Therrien, but that consent was denied.] | [Borders are “no-privacy” zones: Many do not know how few rights exist in that area. Others wish the courts would clarify that picture. As reported in Canadian news sources, Quebec resident Alain Philippon found all this out first hand when he recently refuse to provide the password for his cell phone to airport border agents inspection in Halifax. He was returning from time spent in the Dominican Republic.] | [Man arrested for refusing to give his phone’s passcode to border agents: Right now, Canadian laws don’t treat cellphones or smartphones any differently from other goods, so, they are subject to examination. The Supreme Court of Canada also says police can try to crack one’s passcode, but a person has no obligation to give up their password to police, under the charter right to silence.] | [Speaking against Bill C-51: “We are deeply concerned that (Security of Canada Information Sharing Act) SCISA would permit the sharing of personal information of individuals who have participated in lawful, peaceful demonstrations like the large-scale protests against investment in apartheid-era South Africa and the incarceration of Nelson Mandela,” the letter states. “The historic peaceful protests in support of nuclear disarmament would also almost certainly have been caught as well.”] | [Anti-Terrorism Act threatens privacy rights: Editorial – The new Anti-Terrorism Act gives the Canadian Security Intelligence Service and 16 other federal departments and agencies “excessive” power to share “unprecedented” amounts of personal information, the privacy commissioner warns] | [Officials flag federal anti-terror bill Privacy commissioners, ombudsmen unite in labelling it ‘far-reaching’ “There’s needs to be better balance in this bill,” acting Manitoba ombudsman Mel Holley said. “When we look at this new bill, we say it goes too far, the definitions are too broad, the powers are sweeping, and the oversight is lacking. There’s always this debate about the balance between privacy and security. Well, we don’t recall being at the debate. “It doesn’t matter if you’re in Montreal or Morris, this affects all of us.”] | [Anti-terror bill powers ‘excessive,’ Canada’s Privacy Commissioner says: “The end result is that national security agencies would potentially be aware of all interactions that all Canadians have with their government. That would include, for example, a person’s tax information and details about a person’s business and vacation travel,” Mr. Therrien said. Bill C-51 would beef up the powers of the Canadian Security Intelligence Service, criminalize the promotion of terrorism and provide the RCMP with new powers of preventative arrest. But the Privacy Commissioner is decrying the fact that 14 of the 17 federal agencies that are receiving “limitless” powers under C-51 are “not subject to independent oversight.”] | [Privacy Commissioner Slams Bill C-51: Canadians are ‘concerned with the issue of government surveillance,’ Therrien says. The privacy commissioner also expressed concern that the bill permits various government departments, approximately 17, to share information about Canadians, based simply on “relevance” rather than necessity. As an example, he writes, tax information that has traditionally been highly protected could be widely shared with other government departments. And, if it turns out that sharing such information was inappropriate, there’s no recourse for Canadians.] | [All Canadians would be trapped in anti-terror legislation’s ‘web’, warns privacy commissioner: The commissioner also called for a limit on how long personal information can be retained by departments, urged formal written agreements between departments, and asked that the government build in some type of independent oversight measures to ensure departments are treating personal information properly. He also said the government should include a mandatory review of the bill after three years, which has been the standard practice for other national security legislation.] | [Daniel Therrien: Bill C-51 Means Trouble Without Big Changes: The bill would provide 17 federal government agencies with almost limitless powers to monitor and profile ordinary Canadians, with a view to identifying security threats among them. The end result is that national security agencies would potentially be aware of all interactions all Canadians have with their government. That would include, for example, a person’s tax information and details about a person’s business and vacation travel.] [Daniel Therrien: Submission to PSNS Committee on C-51] | [Christy Clark says we could ‘regret’ giving away personal freedoms in Bill C-51: We should be very careful in Canada, in a country where so many people have sacrificed their lives to preserve our freedoms, to make sure that we aren’t — in the effort to protect ourselves against unknown threats – really diminishing our personal freedoms. …We will regret that forever. When you give up personal freedoms, it’s very hard to get them back.” — B.C. Premier Christy Clark.] | [Privacy lawyer warns against flying with ‘intimate information’: Alain Philippon case raises concerns about how far border guards can go. Border agents have the right to look though an individual’s computer or cellphone, or demand a password, as that power has yet to be constitutionally tested. Fraser says if you deal with private records professionally, it’s best to wipe your devices clean before you hit customs.] | [Profs Roach and Forcese & their swift assault on C-51: Kent Roach and Craig Forcese just happened to be on sabbatical when the PM announced his Anti-Terrorism Act. They set up a website, under the stolid banner “Canada’s Antiterrorism Act: An Assessment,” on which they have posted a series of devastatingly comprehensive critiques of the bill—tackling everything from how it would chill free speech, to how it would undermine privacy, to how it puts judges in the unprecedented position of authorizing Charter of Right and Freedoms violations by Canada’s spy agency. Their fine-grained commentaries now form the intellectual core of what’s emerged as surprisingly vigorous push-back against the Anti-Terrorism Act. Expect to see them citied again and again when the House public safety committee begins hearings into the bill on March 9. Roach and Forcese are slated to be called to testify. The committee won’t hear from anybody more steeped in the subject at hand.] | [Canada’s Terrifying Anti-Terror Bill Spooks Need a Tighter Leash, Not C-51’s Fresh Powers: If Canada’s security agencies are already overstepping their bounds, the extension of CSIS powers to include the “disruption” of terrorist activity, C-51’s extremely broad definition of terrorism, and preventative imprisonment when a subject “may” engage in terrorism, is nothing short of frightening. The complaints have come piling in, including from four former prime ministers. The latest plea to scrap C-51 comes from 100 law professors nationwide, with their 4,000-word text covering “some, and only some” of the serious flaws in the bill. The letter notes that the bill opens the door for the stifling of protests and other forms of legitimate dissent.] | [Colin Bennett: C-51 and no fly-lists — they will get longer: …the Secure Air Travel Act codifies what may seem like a deceptively simple idea to strangle the ability of terrorists, and those who support terrorists, from travelling by air. On the other hand, the list is going to get longer; it is going to be shared with more public and private agencies (domestic and foreign); the chances of the capture of erroneous, incomplete or obsolete information will be multiplied; the number of false-positive hits is likely to increase; and the process for innocents to seek removal and redress is likely to become more lengthy, costly and onerous.] | [Colin Kenny: What real intelligence oversight would look like: Efforts to increase national security accountability of CSIS must include the re-establishment of its Inspector General. The Harper government shut this organization down in 2012, arguing that its mandate overlapped with that of SIRC, even though both bodies were specifically designed to look at CSIS in different ways: SIRC held the role of after the fact, civilian review that reported to Parliament, while the Inspector General performed an internal oversight function that reported to the Minister of National Defence. Unlike the members of SIRC, Inspectors General had decades of experience working in Canada’s security and intelligence community. They had the background, access and mandate to provide as close to real-time oversight of the spy agency as is possible in a Westminster system.] | [Chill sets in over anti-terror laws Filmmaker concerned he’ll be labelled terrorist: “Just me posting some of my ideas for this drama series would be enough for them to throw me in jail and not charge me until they determine they’ve taught me a lesson, and perhaps even try to dissuade me from producing the series,” Torrie said. “Literally freedom of speech, of expression is at stake here.” The new law says it can apply to someone who purposely tells someone else to commit terrorism but also to someone whose comments might lead someone to do so, regardless of whether that was the intention, and regardless of whether the comments result in a terrorist activity. It is punishable by up to five years in prison] | [Why experts say Bill C-51 will spawn spy scandals] | [ The Conservatives insist accountability will be improved through the need for judicial warrants to exercise new CSIS powers. The paper points out that the only circumstance in which the bill clearly requires a court-approved warrant is when CSIS will contravene the Charter of Rights and Freedoms or other Canadian law. “As with its existing surveillance powers, a substantial amount of CSIS activity that falls short of the warrant ‘trigger’ will never be pre-authorized by a judge,” it says, adding this is especially true when it comes to international operations, where Canadian law generally doesn’t apply.] |  [Libertarian Party of Canada on Bill C-51] [Canada’s controversial anti-cyberbulliying law, Bill C-13, is now in effect].

CA – Mounties Stonewalled Request for Warrantless Data

The internal memorandum cites specific problems with the RCMP evidence, acknowledging “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states, “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.” The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.” [Source]

CA – NF Govt Commits to Implementing Access Report Recommendations

“We will be acting on the recommendations contained in the report,” said Steve Kent the minister responsible for the Office of Public Engagement, adding that the government will begin implementing the recommendations during the spring sitting of the House of Assembly. The commission even went so far as to write draft legislation of its own. The independent commission is chaired by former Liberal premier and chief justice Clyde Wells, who prepared the report with retired journalist Doug Letto and former federal privacy commissioner Jennifer Stoddart. [Source]


US – Pew: People Know About Surveillance Programs, Unsure How to Respond

In new research, roughly two years after the initial Snowden revelations, the Pew Research Center finds that U.S. citizens are aware of the surveillance programs revealed by Snowden, but are split on how they’ve responded to that knowledge. While just 6% are unaware entirely, 34% have taken at least one step to hide their information from the government and 40% of those under 50 have done so. Of the rest, 54% believe it would be “somewhat” or “very difficult” to do anything to avoid the surveillance, and are unaware of steps that would make it possible. Finally, the country is almost evenly split on whether there are appropriate checks and balances in place: 48% say the courts are balancing national security with the right to privacy appropriately. [Full Story]

WW – Privacy or Personalization? It’s Complicated

A recent study from Accenture shows that about 60% of consumers want real-time promotions and offers, but only 14% want to share their browsing history. The research also shows varying attitudes about the desired level of personalization depending on age. What most people do like, according to the study, is automatic discounts for loyalty points and coupons, sites that are optimized for different devices and “one-click” checkout. Marketingland offers suggestions for marketers navigating the balance between value and privacy, such as “make data use transparent” and “own and control your data.” [MediaPost]

US – Survey: This Tax Season, Privacy Concerns Abound

A recent survey by indicates most Americans are “very or somewhat concerned about the privacy and safety of their personal and financial data” this tax season. Of the survey’s respondents, “70% expressed concerns about the safety of their data when using desktop computers to file their state and federal tax forms; 68% are concerned when using their iPads or tablets, and 69% are concerned when using their smartphones,” a news release states. A spokesperson for suggests the IRS “would do all taxpayers a great favor by eliminating its free e-file service, and thereby dramatically and immediately help reduce fraud.” [Full Story]

CA – Quebec Man to Fight Phone Password Charge

A Quebec man “charged with obstructing border officials by refusing to give up his smartphone password” has said he will fight that charge, and the case is raising legal questions . Dalhousie University Schulich School of Law’s Rob Currie noted that travelers crossing Canada’s border “have a reduced expectation of privacy,” the report states. However, he said, “This is a question that has not been litigated in Canada, whether they can actually demand you to hand over your password to allow them to unlock the device,” adding, it is “one thing for them to inspect it, another thing for them to compel you to help them.” [CBC News]


US – CA, ME City Officials on Protecting Citizens’ Privacy

At a meeting in Bangor, ME, a City Council member raised concerns that a proposed program to inspect more apartments in the city could result in privacy issues. Councilor Ben Sprague worried whether city inspectors would be required to report illegal activities to law enforcement. And in California, the Electronic Frontier Foundation reports Oakland City Council’s Public Safety Committee will soon consider recommendations by Oakland’s Domain Awareness Center Ad Hoc Advisory Committee on Privacy and Data Retention. The committee aims to pass a privacy policy following further input from city staff and the public. [Bangor Daily News]


WW – Yahoo Announces On-Demand Passwords, Releases Encryption Plugin Source Code for Review

Yahoo has announced that it will let users log into their accounts with on-demand passwords sent as SMS messages to their mobile devices. The scheme is not the same as two-factor authentication, which Yahoo also offers. Yahoo also plans to release a plug-in that would enable end-to-end encryption for its email by the end of the year. The company has released the plug-in’s source code for public review. [CNET] [DarkReading] [SC Magazine] [ComputerWorld] [Yahoo]

CA – CRTC Issues $1.1 Million Penalty to Compu-Finder for Spamming Canadians

The Chief Compliance and Enforcement Officer finds that Compu-Finder sent commercial electronic messages without the recipient’s consent as well as emails in which the unsubscribe mechanisms did not function properly. The emails sent by Compu-Finder promoted various training courses to businesses, often related to topics such as management, social media and professional development. The four alleged violations occurred between July 2, 2014 and September 16, 2014. Furthermore, an analysis of the complaints made to the Spam Reporting Centre of this industry sector shows that Compu-Finder accounts for 26% of all complaints submitted. [Press Release] [Million Dollar Spam Fine Sends Message to CASL Fencesitters]


CA – Man Arrested at Canadian Border for Refusing to Divulge Phone Password

A Canadian man returning from the Dominican Republic was arrested in Halifax, Nova Scotia, for refusing to provide law enforcement at the border with the code to unlock his smartphone. A Canadian Border Services Agency spokesperson said the man was arrested for “hindering” border guards from performing their duties. [CNET] [CBC]

US – FTC’s Primary Domain Now HTTPS by Default

US FTC has made its primary domain HTTPS by default, which enhances security and privacy for users. Browsers will automatically verify the website’s authenticity, which will help guard against website impersonation. [Washington Post] [The Hill] [Full Story]

WW – Firefox Update to Add Certificate Security Feature

Firefox 37 will include a new mechanism to check SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates. While the technology, dubbed OneCRL (Certification Revocation List), will not supplant the currently used Online Certificate Status protocol (OCSP) for the time being, Mozilla may eventually disable OCSP for certificates covered by OneCRL. Firefox 37 is expected to be available at the end of March. [eWeek] [The Stack]

EU Developments

EU – Council Reaches Agreement on One-Stop Shop

The EU’s Council of Ministers has reached a partial general approach on specific issues of the draft regulation. The partial general approach includes the chapters and recitals on the one-stop-shop mechanism as well as those relating to the principles for protecting personal data. [The Irish Times] Jennifer Baker writes, however, that the plan is “far from ‘one stop’“ and may make matters more cumbersome than the status quo. [No Food, No Drink, No Water: Council to Finalize Regulation Draft] Meanwhile, The Wall Street Journal reports on the ways the draft regulation might irk U.S. tech companies.

EU – Oettinger Calls for “Digital Union of Europe”

With the EU being “the largest single market in the world” but still consisting of “28 fragmented digital markets,” European Commissioner Günther Oettinger is calling for a “Digital Union of Europe … which can become a capable partner for the United States, China and India.” “A national data protection law is no longer respected by Google, Facebook or Apple,” he said. [EurActiv]

EU – Leaked Documents Reveal Which Nations Support Proposed Regulation

LobbyPlag has obtained approximately 11,000 pages of classified EU documents as well as German diplomatic cables on the proposed General Data Protection Regulation. Among the leaked documents, the group put together an infographic detailing which national governments “are lowering or raising data protection laws in Europe.” According to the leaked documents, Ireland ranks third worst, just behind Germany and the UK, for undermining the EU’s data protection rules. [Full Story] [Is the Proposed Regulation Broken?]

EU Commissioner Jourová: Suspending Safe Harbor is “Plan B”

A delegation of 11 Members of the European Parliament is visiting the U.S. this week to discuss issues including “the renewal of the so-called Safe Harbor deal that regulates the transfer of personal data of EU citizens to the U.S.” [PCWorld] EU Commissioner Jourova is saying she wants to finalize Safe Harbor negotiations by May and that the EU will be “strict” about ensuring the U.S. government adheres to internal rules governing the use and safety of EU citizen data for national security purposes, European Commissioner Vera Jourová conducted a wide-ranging interview. As she heads up Justice, Consumers and Gender Equality for the commission, Jourová said the pending data protection regulation is also one of her two top priorities, and she said there is “strong momentum to finalise the reform by 2015.” She expects an EU Council vote by June and then the beginning of the trilogue process. [EurActiv]

EU – Advocates Worry They’re Losing Out on TPP Deal

As negotiations over the Trans-Pacific Partnership enter final stages in Hawaii this week, privacy advocates worry that even long-time privacy supporters like Sen. Ron Wyden (D-OR) are allowing too much surveillance of American and global citizens by corporations. Specifically, they “worry that data flow provisions in the trade agreement will enable big companies to fight and discourage strong privacy rules abroad.” While tech firms are often on the same side as advocates in battles over, for example, the Stop Online Piracy Act, here they find themselves at odds. It’s become “a Rorschach test,” said Google Head of Global Trade Policy David Weller, “whether you think kind of deep evil is being done or not …” [Huffington Post]

EU – Dutch Court Strikes Down Law; Germany Pans to Introduce Retention

The District Court of The Hague struck down the nation’s data retention law that gives law enforcement access to telecommunications data. The law had required telecommunications providers to collect and store users’ data for up to 12 months. According to the ruling, the law violated citizens’ rights to privacy. “The judge finds that this violation is not limited to what is strictly necessary,” the ruling stated. The Dutch government has argued the law helps it find and defend against terrorists. The ruling can still be appealed. Meanwhile, Germany’s government “plans to introduce data retention in a national solo run.”  [The Wall Street Journal]

EU – Irish Government Defends Record on Regulation Negotiations

In response to a report alleging the Irish government is looking to water down privacy protections in the upcoming Data Protection Regulation, accompanied by some 11,000 classified documents, the Department of Justice (DoJ) is defending its record. While LobbyPlag analyzed the documents to show just one of Ireland’s tabled changes “improved privacy,” the DoJ argued the report is “based on a crude analysis of footnotes recorded in council texts” and that those footnotes need to be placed in context of wider arguments. For instance, Ireland was seeking compromise when holding the presidency. [The Irish Times]

EU – FTC and Dutch DPA Sign Enforcement Pact

The U.S. FTC and the Dutch Data Protection Authority (DPA) have announced they have signed a memorandum of understanding (MoU) to bolster their information-sharing and enforcement efforts in matters related to privacy protection. “In our interconnected world, cross-border cooperation is increasingly important,” FTC Chairwoman Edith Ramirez said. “This arrangement with our Dutch counterpart will strengthen FTC efforts to protect the privacy of consumers on both sides of the Atlantic.” Dutch DPA Jacob Kohnstamm said, “The signing of this MoU between the Dutch DPA and the FTC is a great step … and marks the good relationship between our offices.” [FTC press release]

EU – CNIL Issues BYOD Guidelines

The French Data Protection Authority, the CNIL, has published new guidelines on bring your own device (BYOD). The guidance includes that if a company has already made a standard declaration to the CNIL about employee management or employs a data protection officer, there’s no need for additional declarations to cover its BYOD policy. [Hogan Lovells’ Chronicle of Data Protection]

UK – Inquiry Calls for Overhaul of Surveillance Laws but Clears Spy Agencies

Civil liberties advocates have long been concerned about the surveillance powers of government agencies, and some were dissatisfied with the oversight panel. Shami Chakrabarti, director of Liberty, an advocacy group, said that the committee “has repeatedly shown itself as a simple mouthpiece for the spooks — so clueless and ineffective that it’s only thanks to Edward Snowden that it had the slightest clue of the agencies’ antics.” [NY Times]

EU – A New Era at the EDPS

With the release of “The EDPS Strategy 2015-2019,” European Data Protection Supervisor Giovanni Buttarelli and Assistant Supervisor Wojciech Wiewiórowski have etched out a bold vision with ambitious goals, writes Christopher Kuner. The document lays out three major strategic objectives and 10 action items, and the interest in these pieces couldn’t be more clear: The release was attended by the first vice president of the European Commission and the chairman of Parliament’s LIBE Committee. Kuner analyzes why data protection has become so high-profile and what we can take away from the new five-year plan. [Privacy Perspectives]

Facts & Stats

WW – How Do the World’s DPAs Break Down by Gender?

With so many popular “Women Leading Privacy” events at the IAPP Global Privacy Summit, during the recent update of IAPP’s global data protection authorities (DPA) information page, IAPP decided to delve deeper into the question. This feature looks at DPA leadership according to gender and compiles the results, broken down by regions around the world. See whether Women Leading Privacy efforts so far have resulted in more opportunity on the regulatory side as well as in the private sector. [Full Story]


UK – ISPs Take Another Tack to Block the Pirate Bay

Internet service providers (ISPs) in the UK are now blocking websites that offer pirated content as well as those that serve as proxies for such sites and even sites that simply list the proxy sites. The reach of the court order has raised concerns about censorship. [BBC] [WIRED] [The Responsibility of Operationalizing the Right To Be Forgotten | Google Report ]


US – Report: 80% of Global Merchants Fail PCI DSS

According to a new Verizon Communications report, four out of five global retailers fall short on debit and credit card security, failing the Payment Card Industry Data Security Standard (PCI DSS), Reuters reports. The report also found that businesses tend to only upgrade security software just before a PCI DSS compliance check. Data for the report was gathered from more than 5,000 companies in 30 countries. Additionally, Verizon found that in the past 10 years, not one company that suffered a breach was compliant with the standards at the time of the incident. [Full Story] [Verizon 2015 PCI report: More achieve PCI compliance, but fail to keep it] [Verizon: PCI requirement to test security systems a compliance weak point for orgs]

US – Orfel: Compliance Report Findings “Sobering”

Verizon’s 2015 PCI Compliance Report “should serve as a loud and clear wake-up call to everyone in the business community who cares about the payment data security of their customers,” writes Stephen Orfel, general manager of the PCI Security Standards Council. That’s because the report’s findings “are sobering,” Orfel writes, noting “a compound annual growth rate of 66%” in security incidents since 2009. Further, of the payment card breaches investigated by Verizon’s forensics team in the last 10 years, not a single organization was PCI DSS compliant at the time of the breach. “The business community needs to up its game to answer this enormous challenge,” Orfel writes. [The Hill]

US – AG, Credit Reporting Agencies Reach Settlement

The nation’s major credit reporting agencies have agreed to overhaul their approach to fixing errors and their treatment of medical debts on consumers’ reports. New York State Attorney General Eric Schneiderman announced Monday his office has reached a “sweeping settlement” with the agencies, which keep records on more than 200 million individuals. The settlement was prompted by an investigation in 2012. [The New York Times]

US – NCUA Seeks Power to Examine Third-Parties

The head regulator for the National Credit Union Association (NCUA) is pleading with Congress to give her agency the power to examine and police third-party vendors in an attempt to thwart cyber-hacking. The NCUA is the only federal banking regulator without the power to examine third-party vendors.

CA – Alberta Online Bank First In Canada to Shun U.S. Clients amid Tax Rules

The shunning of U.S. customers is part of the spreading fallout from the U.S. Foreign Account Tax Compliance Act, which came into force this year. The law is the centrepiece of a concerted U.S. effort to crack down on overseas tax evasion by identifying all offshore American account holders. .Canadian financial institutions have complained loudly about steep FATCA-related compliance costs, which can reach as high as $100-million for each of the Big Six banks. It’s also caused extreme stress for hundreds of thousands of Americans and dual Canada-U.S. citizens living in Canada, many of whom have never filed U.S. taxes. The new reporting rules mean they find it much trickier to avoid filing U.S. taxes and other required forms. Under U.S. law, Americans must file U.S. taxes every year, regardless of where they live. A number of financial institutions in Europe and elsewhere are already balking at doing business with Americans. [Source]


US – Clinton: Gov’t Doesn’t Have Right to Review Her Personal Emails

While Hillary Clinton says neither the federal government nor an independent third party has the right to review emails she sent as secretary of state if she deems them personal, tat’s inaccurate because State Department guidelines say there is “no expectation of privacy” for personal emails sent by government employees on a departmental email system. “No one creating records on an official government network has an individual ‘privacy right’ to demand that their emails or records should be shielded beyond the reach of public access requests under FOI laws, state or federal,” said Drinker Biddle’s Jason Baron. [USA Today] See also: [Clinton excuse ‘laughable’: veteran official] [Read the three BYOD mistakes Hillary Clinton made “and how your BYOD policy can avoid them.”]

US – Facebook Report Details Government Data Requests

Facebook’s Global Government Request Report shows that the overall number of requests the company received from governments worldwide increased slightly from the previous six months. The majority of the data requests were related to criminal cases. In the US, nearly 80% of requests were met with the release of some data. While requests from the US and German governments declined, the number of requests in the US may be higher than the figures indicate because Facebook did not include national security requests in its report. Facebook also notes that requests to restrict or take down content rose 11% over the previous six months. [ComputerWorld] [ZDNet] [Forbes] []


WW – In Growing Market for Genetic Data, Privacy Implications Prove Lasting

The work of researcher Michael Goetzman on the security implications of DNA technologies. Goetzman found “that the increasingly lucrative market for data brokers may simultaneously amplify breach concerns in the healthcare sector,” the report states. [SC Magazine]

Health / Medical

US – Wyden Concerned About Health Info Privacy on Campuses

Sen. Ron Wyden (D-OR) asked for details about the thoroughness of privacy protections on health information for students who use college and university medical facilities. Wyden wrote a letter to Education Secretary Arne Duncan with concerns that patients have less understanding of the rules governing campus health facilities versus those governing outside practitioners. “College students should be able to expect the same level of privacy as other people when it comes to the incredibly sensitive information they give their on-campus health and mental health providers,” Wyden said. [KTVZ]  edSurge reports optimism is coming back to the student privacy debate. Electronic Privacy Information Center’s Khaliah Barnes said, “It’s a false dichotomy: Privacy and innovation can and should exist.” [Student Sues UMontana Over Info-Sharing ]

US – HITRUST Releases Review Findings

The Health Information Trust Alliance (HITRUST) has released the findings from its three-month review of cyber-risk management for the healthcare industry. The analysis uncovered a constant theme: that today’s approach to cybersecurity is predominantly reactive and, for the vast majority of organizations, inefficient and labor-intensive,” HITRUST’s announcement states. And Government Health IT reviews the lessons privacy and security professionals can learn from each other.

Horror Stories

US – Three Charged in Massive Data Breach

The Department of Justice (DoJ) has charged three men for taking part in what it says is “one of the largest” data breaches uncovered in U.S. history. The three are charged with running a cyber-fraud ring that stole one billion email addresses and then sent spam offering knockoff software products. While the DoJ hasn’t named the companies involved in the breach, it appears Epsilon was among them, the report states. Two of the three men are now in custody; one has pleaded guilty to conspiracy to commit computer fraud while the other is charged with conspiracy to commit money laundering. The third is a Vietnamese citizen who was living in The Netherlands. [Krebs]

US – Breach Bill Discussed; More Breaches Announced; Class-Action Filed

Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) are circulating their Data Security and Breach Notification Act of 2015, which would preempt 47 state data notification laws. [Gov Info Security] Meanwhile, a Wired article discusses the “crooked path to determining liability” in breaches.

US – Mandarin Oriental Breach

The Mandarin Oriental hotel chain has confirmed a breach of its systems that compromised customer payment card information. The attack affected point-of-sale systems at 45 of the company’s hotels. [Krebs] [BBC]

WW – Superfish Removed from 250,000 Windows Machines

Microsoft, along with Lenovo and other software manufacturers, has managed to scrub Superfish adware from 250,000 Windows-based PCs. According to Microsoft’s security team, the daily number of Lenovo machines infected has dropped below 1,000; at its peak, Superfish had been found daily on 60,000 PCs. [ComputerWorld] See also: [FREAK Still Affects Some Cloud Services]

US – School Accesses Rape Victim’s Medical Records

A woman is suing the University of Oregon for privacy violations after it allegedly used her mental health records to defend itself against allegations it “mishandled” her sexual assault by three of its basketball players. The three players were kicked out of school, but the assault case never went to trial. The woman suing the school had received therapy at the school’s clinic after being sexually assaulted. The university then allegedly used those records in its defense. The student-run Organization Against Sexual Assault’s Kelsey Jones said, “It’s very concerning for a lot of people … It’s 10 times harder now to seek that help and feel safe and feel OK to share 100% of what you’re feeling.” [NPR]

US – Other Breaches

  • Bistro Wants Suit Dismissed: P.F. Chang’s China Bistro has asked the Seventh Circuit to uphold a lower court’s dismissal of a class-action stemming from a data breach at the chain.
  • A Google software problem has exposed personal information on the owners of about 300,000 websites
  • Uber is facing a potential class-action over a recently disclosed data breach involving 50,000 of its drivers.

Identity Issues

New Guidance Released for De-ID

HITRUST announced it will release a De-Identification (De-ID) Framework, with guidance, standards and controls for de-identifying data in a healthcare setting. The framework includes use cases for defining levels of anonymization, criteria for evaluating De-ID methods and technical controls for mitigating the risk of using and storing health data. HITRUST will host a webinar March 24 to introduce the framework, at which point it will be available for download. [HealthData Management]

US – Do We Need a New Definition of Privacy?

See also the work of School of Communication and Information Assistant Prof. Vivek Singh and his recent paper, “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata. “ Singh, who is currently a visiting professor at MIT, suggests the research shows “we need to rethink the ideas we have about privacy,” the report states. Singh explains, “It is relatively easy for anyone, with just a bit of information, to find out very private details about our lives …We therefore need to redefine our current definition of privacy.” While the research doesn’t prove “that we all have any lesser privacy than before or that privacy is gone,” he notes, it “does show that we do need to rethink how we measure and define it.” [News.Rutgers]

Internet / WWW

US – FCC Releases Net Neutrality Rules

Documents from the US Federal Communications Commission (FCC) show that the commission is going to treat broadband as a public utility, which means it will be subject to more stringent regulation. The document indicates that the FCC will determine what is deemed acceptable in a case-by-case basis. [NYTimes] [Washington Post] [Silicon Republic] [FCC Press Release] [Net Neutrality Has Sparked an Interagency Squabble Over Internet Privacy : The FTC and the FCC are arguing over who is better at protecting consumers. ]

WW – UN Needs Privacy Rapporteur: Advocates

The Electronic Frontier Foundation (EFF) has joined a group of 60-plus advocacy groups to call for the creation of a UN special rapporteur on the right to privacy. “The special rapporteurs are independent experts appointed by the Human Rights Council and serve in their personal capacities,” the EFF announcement states. “A special rapporteur would play a critical role in developing common understandings and furthering a considered and substantive interpretation of the right to privacy in a variety of settings.” The EFF notes privacy is one of the few rights that does not have specialist attention in the UN. “There is a pressing need to better articulate the content of this right as part of international human rights law and produce guides on its interpretation,” the report states. [Full Story]

US – NIST Releases Draft of IoT Standard Framework

The National Institute of Standards and Technology (NIST) cyber-physical systems public working group has released a discussion draft of its Framework for Cyber-Physical Systems—what has come to be known as the Internet of Things. It synthesizes the work of five subgroups, one of which covered security and privacy, and offers the beginning of a common way of working with and protecting an array of items on the network as varied as cars and pill bottles. NIST is receiving feedback on the draft in the lead-up to the next in-person meeting of the working group, April 7 and 8. NIST hopes to have a finalized draft in 2016. [Hogan Lovells Chronicle of Data Protection]

Law Enforcement

US – Seattle Police Post Body Camera Footage for Public Viewing

Seattle police have posted footage from police-worn body cameras to their own YouTube channel. The new program is uncommon and probably the first in the country. But it answers a question facing every department employing body-worn cameras: How much should police show the public? In the past, the Seattle Police Department faced criticism for setting up drone networks or wireless cameras before holding public meetings. But police hope posting the footage for the public to view will engender trust. Phil Mocek of Seattle’s Privacy Coalition, however, worries the public footage could be used as a “roving network of public surveillance.” [The Guardian]

US – New Lawsuit by ACLU Targets Cellphone Snooping With Stingray Device

The ACLU suit, filed in Orange County Superior Court, seeks to find out what the state’s bigger police forces are doing with those peripheral numbers, what they are doing with the targeted data and what rules have been set to ensure the data aren’t being abused. …In a survey by the ACLU of nine California police agencies, three – including Santa Ana and the Orange County Sheriff’s Department – said they do not have StingRays. However, an official with the Orange County Sheriff’s Department confirmed that his agency is looking for money to buy a StingRay. [Source]


WW – TomTom Addressing Privacy Concerns

GPS maker TomTom is planning to improve its service by using its customers’ travel data to make more timely updates to its road navigation software; however, this time around it plans to be more clear on how it uses customer data. According to Vice President of Privacy and Security Simon Hania, allegations the company shared data with police back in 2011 led the company to “take more action to better communicate how it uses customer data,” the report states. The data will also be encrypted, anonymized and held on secure servers. “If you cannot explain to your users what you are doing and why, maybe you shouldn’t be doing it,” Hania said. []


WW – Fieldfisher Releases “Managing Global Data Residency Risk” Report

Fieldfisher has announced the publication of its “Managing Global Data Residency Risk” report, which provides an in-depth look at issues around Data Residency Rules—laws prohibiting the transfer of personal data from specific countries or regions unless certain legal standards are met—and legal solutions that enable international data exports. “In an increasingly data-hungry and interconnected world, data protection issues continue to take on greater importance, and it is against this backdrop that the report has been produced,” Fieldfisher said in its announcement on the report’s release. The report compiles research by privacy specialists on 47 territories worldwide. [Full Story]

Online Privacy

US – DARPA Details Plans for Privacy Tools

The Defense Advanced Research Projects Agency (DARPA) has formally announced its plans to research and develop tools for online privacy. Named for Supreme Court Justice Louis Brandeis, the new program “seeks to explore how users can understand, interact with and control data in their systems and in cyberspace through the expression of simple intentions that reflect purpose, acceptable risk and intended benefits,” the report states. DARPA Program Manager John Launchbury said the aim is to develop methods that can help protect private data “without having to impose cumbersome protective mechanisms that ultimately deplete the larger value of the information at hand.” The four-and-a-half-year program will be split into three 18-month phases resulting in experimental systems that show privacy technologies at work. [Full Story]

US – DARPA “Brandeis” Program Aimed at Privacy Protection

The Defense Advanced Research Projects Agency (DARPA) is examining a program the agency says will help develop the “technical means to protect the private and proprietary information of individuals and enterprises.” The program is named after Louis Brandeis-frequently referred to as the “father of privacy.” DARPA will gauge interest in the program at a Proposer’s Day event on March 12. Meanwhile, IBM has also said it is offering technology “to encrypt the certified identity attributes of a user, protecting privacy and enhancing security.” The program is called Identity Mixer and prevents third parties from accessing data “by revealing only selected data to service providers,” the report states. [NetworkWorld] [DARPA is tackling online privacy. But can you trust them?]

EU – Facebook Says Users Consented to Scans

Facebook intends to defend itself in a privacy lawsuit by arguing that users agreed to allow the company to scan “private” messages in order to determine whether people are sending their friends links to sites outside of Facebook. “Facebook users expressly consented to the conduct,” Facebook said in a report filed last week with U.S. District Court Judge Phyllis Hamilton. The proposed class-action alleges “Facebook violates the federal wiretap law and a California privacy law by scanning the private messages that users send to each other through the company’s platform,” the report states. [MediaPost]

US – Twitter Responds to Critics, Revises Image Policy

Just over a month after a public declaration by CEO Dick Costolo that Twitter had done a poor job protecting people from harassment, he has announced a new policy banning nonconsensual illicit images and videos. Issuing an FAQ based on a Buzzfeed questionnaire originally posed to Reddit, Twitter said it has changed its privacy notice and terms of service: “You may not post intimate photos or videos that were taken or distributed without the subject’s consent.” Those in pictures or videos can submit takedown requests, and accountholders may appeal the action, but the images will be hidden from view and the account will be locked. If there is no appeal, or the appeal fails, the accountholder will not be allowed to return until the image is deleted. Meanwhile, U.S. Rep. Katherine Clark (D-MA) has called on the Department of Justice to increase prosecution of online harassment cases. [Full Story]  A Twitter conversation about one ed-tech company’s terms of service prompted the company to change the policy to meet privacy concerns.

US – Amidst Consumer Concerns, Calls for ECPA Reform, Chip-and-PIN Tech

With persistent data breach reports in the news and polls indicating most U.S. consumers don’t believe their personal data is safe, there are new and persistent calls for changes. Digital Fourth, a coalition of technology companies, advocates and other groups, has renewed its “call for Congress to change a 29-year-old electronic privacy law called the Electronic Communications Privacy Act (ECPA).” [IDG News Service reports] Debra Berlyn writes on ProtectMyData, “a consumer education campaign advocating the implementation of chip and PIN technology for credit and debit cards.”

US – Apple Watch Gets Cautious Approval from Advocates

The Apple Watch has a sensor allowing users to keep track of their heart rates and even share that information with friends, signaling Apple’s move into the health space. The watch can be used in concert with Apple’s new ResearchKit software, “a platform for medical researchers, which will let them pull in data from the many sensors on the Watch and iPhone from willing iGuinea Pigs,” the report states. Privacy Rights Clearinghouse’s Pam Dixon said she’s pleased with the watch’s defaults, but added the onus is on users to be sure they’re not sharing data with third parties that could use it to harm them. [Fusion] [The CIA Campaign to Steal Apple’s Secrets]

US – FTC to Look at Cross-Device Tracking

The US FTC will hold a workshop in the fall to examine cross-device tracking and how it affects consumers. Such events can indicate that the agency will follow up with reports and increased enforcement of privacy rules. [Washington Post]

WW – Skype Updtes Privacy Statement for User-Friendliness

Skype announced this week it is “updating the look of its Privacy Statement” with an aim toward “increasing the transparency of the organization as a whole, highlighting the information that is typically hidden from the consumer,” Sean Cameron writes. “At Skype, we want to make it easier for you to understand and review the important documents that relate to our products and services,” Skype announced. [WinBeta]

Other Jurisdictions

AU – Proposed Law’s Amendment Protecting Journalists Raises Questions

Australia’s government is one step closer to enacting its data retention laws after agreeing “to a Labor amendment to protect journalists’ sources.” And while other concerns remain, “the bill to force communications companies to keep customer information for two years is set to pass through Parliament by the end of next week,” the report states. Labor’s Jason Clare is calling the amendment “a good result; it’s a victory for journalists,” while Sen. Scott Ludlam asked why journalists are being singled out: “I think the government has left itself open to, well, what about doctors, what about diplomats, what about legal professional privilege, what about serving military officers?” [ABC]

AU – Data Retention Bill Set to Become Law

Australian Communications Minister Malcolm Turnbull and Attorney-General George Brandis agree with a suite of recommendations made by a Parliamentary Joint Committee and that new data retention legislation will soon become law. The law will require telcos to keep a set of customer data, including call records, IP addresses, email address, text history and more, for a minimum of two years so the data can be accessed by law enforcement if necessary. Following the bill’s passage, roughly 20 agencies would have access to the data. [ZDNet]

AU – Over 100 Data Breaches Voluntarily Reported to OAIC in Past Year

One year into the Privacy Act, the Office of the Australian Information Commissioner issued a “law reform report card,” detailing “how organisations and agencies have responded positively to the challenge of implementation. The Office of the Australian Information Commissioner received over 100 voluntary data breach notifications, and saw a 43% increase in privacy complaints in the 12 months since changes to the country’s Privacy Act came into effect. Australian Privacy Commissioner Timothy Pilgrim said that he has been pleased to see private organisations and government agencies respond positively. “This is recognition that good privacy practices are good for business, particularly in building customer trust,” he said. “For the next 12 months, our focus will be on governance, assisting organisations and agencies to build a culture of privacy, and ensuring that organisations and agencies are proactive in meeting their compliance requirements. [Source] [Privacy Act amendments chalk up first anniversary : OAIC has received 4016 privacy complaints over past year says Timothy Pilgrim]

Privacy (US)

US – Wong: CPBR Gives Framework for National Privacy Discussion

President Barack Obama’s release of the proposed Consumer Privacy Bill of Rights Act (CPBR) has been met with an array of reactions. Among the recent reports on the CPBR, The National Law Review and Lexology examine the bill in detail. And the reaction pieces include Sen. Al Franken (D-MN) stating the CPBR “lacks the necessary teeth to hold companies accountable for their privacy policies and to ensure robust protections for consumers’ information,” while the Technology Policy Institute’s Thomas M. Lenard suggests it marks a step toward “regulating the Internet.” In a piece for The Christian Science Monitor, former White House Deputy Chief Technology Officer Nicole Wong writes, “What we need today is a framework for a national discussion about privacy regulation, and that is what the White House has given us.” [Full Story] SEE ALSO: [White House releases proposed “Consumer Privacy Bill of Rights,” to little acclaim Privacy advocates don’t like it, and tech companies don’t either] | [White House draws fire from privacy advocates over Consumer Privacy Bill of Rights] | [Obama’s ‘Privacy Bill of Rights’ Gets Bashed from All Sides: Some privacy advocates are disappointed that the proposal would not give the FTC the power to set regulations to enforce the principles. Instead, companies and industry associations would write their own rules and then ask the FTC to sign off on them. Additionally, the bill would overturn state laws that offer stronger protections. But the Web companies themselves aren’t so thrilled with the proposal either. Michael Beckerman, the CEO of the Internet Association, which represents Google, Facebook, Amazon, Yahoo, and others, warned that the bill “casts a needlessly imprecise net.”]

US – Wyndham Case Could Reach SCOTUS

Oral arguments in Wyndham Worldwide Corporation’s battle against “the FTC in a high-stakes legal case that will help define the role of the federal government in protecting the security of consumer data online.” Wyndham is trying “to reverse a district judge’s decision endorsing the FTC’s enforcement authority,” the report states, noting Wyndham’s lawyers argue the FTC “overstepped its authority by punishing companies for weak cybersecurity.” Indiana University’s Fred Cate said, “I would not at all be surprised if the case went to the Supreme Court … And if in fact this went against the FTC, Congress would almost certainly have to act because we would be left without a security regulator with authority across the economy.” [The Hill] [Oral arguments in Wyndham Worldwide Corporation’s battle against the FTC]

US – New Commerce Data Advisory Council Members Announced

Secretary of Commerce Penny Pritzker has announced the members of the new Commerce Data Advisory Council (CDAC), which includes “19 of the best and brightest private- and public-sector thought-leaders on data management and dissemination in the United States.” The CDAC’s role is to help guide the Commerce Department’s efforts “to foster innovation, help create jobs and drive better decision-making throughout our economy and society.” A full list of the CDAC members can be found here. “Together, they will help us make our data easier to access and use, and maximize the return of data investments for entrepreneurs, government, businesses, communities and taxpayers,” Pritzker said. [Full Story]

US – NTIA Seeks Comments on Drone Privacy

With its plans to hold its “multistakeholder process,” a series of meetings with interested people aimed at developing best privacy practices for the aerial drone industry, the National Telecommunications and Information Administration (NTIA) has announced it has “opened up a request for comments on discussions aimed at developing privacy best practices for both the commercial and private use of drones.” “The public is invited to submit suggestions concerning the structure of the multistakeholder engagement and the substantive issues stakeholders will discuss,” the NTIA wrote in its announcement, noting it “expects to convene the first public meeting within 90 days from the publication of the Request for Comment.” [PCWorld]

US – Judge Dismisses Breach Suits Over Lack of Provable Harm

A federal judge last week dismissed two would-be class-action lawsuits filed over last year’s Paytime, Inc., breach. The plaintiffs who sued the national payroll firm said they faced the threat of identity theft because of the breach and that the company delayed informing them of the breach. But U.S. Middle District Judge John Jones said in dismissing the suits that none of those who sued Paytime have been identity theft victims. “There is simply no compensable injury yet, and the courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to be able to successfully read and manipulate the data and engage in identity theft,” he said. [PennLive]

US – Jury Denies Damages for Privacy Intrusion Victim

A jury has found a California man is “not entitled to monetary damages from a neighbor he claimed used her position as a Sonoma County social worker to pry into his confidential files and embarrass him.” Eugene Alexeev testified in the trial that Lisbeth De Mejia, a Human Services Department eligibility worker, “shouted out confidential information about his lack of a job and dependence on public assistance in a 2010 argument,” the report states. Alexeev wanted damages for breach of privacy and infliction of emotional distress, and while jurors “found De Mejia’s conduct was outrageous and intrusive, violating Alexeev’s privacy,” they decided it had not been the cause of his “anxiety, crippling headaches, loss of sleep and depression,” the report states. [The Press Democrat]

US – Judiciary Committee Approves FBI Hacking Rule Change

A judicial advisory panel has approved a rule change that will broaden the FBI’s hacking authority despite concerns the amended language violates the Constitution. The Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to allow judges more flexibility in how they approve search warrants for electronic data, the report states. The ACLU and others have said the rule violates Fourth Amendment rights on search and seizure, and Google said Congress should decide on such a rule. Meanwhile, the Treasury Department has issued a final rule exempting it from having to reveal to holders of preparer tax identification numbers the names of those who’ve asked for their files. [National Journal]

US – Department of Education Issues “Model Terms of Service” 

Despite the title, the Model Terms are not a template that the Department expects schools to insist that their online educational services and applications adopt when providing services to the school. Instead, the document contains a checklist of the types of privacy-related provisions that commonly appear in online services’ TOS, such as provisions related to marketing and advertising, modifications to the TOS, data use, data sharing, security controls, and data de-identification. For each type of provision, the document provides sample TOS provisions under the headings “GOOD! This is a Best Practice” and “WARNING! Provisions That Cannot or Should Not Be Included in TOS,” and explains why those provisions either represent a best practice or are problematic when considered in light of schools’ privacy obligations. [Source]

US – Companies Not Living Up to Student Pledge

Natasha Singer suggests companies are not living up to the Student Privacy Pledge . The pledge requires companies to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality and integrity of student personal information against risks—such as unauthorized access or use,” but Singer suggests some “companies signed the pledge even though, at the time they joined, they had not begun full encryption, an elementary security measure.” The Future of Privacy Forum’s Jules Polonetsky said, “Companies that don’t provide strong security for sensitive data can be at legal risk for violating the pledge, state laws and contractual commitments.” [The New York Times]

US – No Privacy in Your Trash, Minnesota Supreme Court Rules

The State Supreme Court upheld a Court of Appeals ruling denying the search was unconstitutional. It said the U.S. Supreme Court has ruled consistently that trash is public. But the Minnesota court considered whether Minnesota’s Constitution affords greater protection than the U.S. Constitution on the matter. …It doesn’t, Justice Wilhelmina Wright wrote in her opinion. [Source]

US – Swire Recognized for Privacy Leadership

At the IAPP Global Privacy Summit, Georgia Tech Scheller College of Business Prof. Peter Swire was awarded the IAPP 2015 Privacy Leadership Award. The award recognizes a leader in the field of privacy and data protection who has demonstrated an ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession. Accepting the award, Swire said he’s had a lifelong fascination with the intersection of technology, policy and law and has always loved science fiction—stories about how people and societies respond to new technological challenges. He likened such stories to what privacy professionals do in their daily jobs. [Full Story] See also: [FTC Chair Edith Ramirez Talks Privacy, Data Security]

Privacy Enhancing Technologies (PETs)

WW – Windows 10 Settings Strive to Make Privacy More Accessible

A new report states that Microsoft’s Windows 10 and its new “Privacy” tab “has a bunch of privacy settings you won’t find in the traditional Control Panel, because a lot of these settings are more for tablets and phones than they are for laptops and desktops.” The report looks at such options as settings for location, ads and even microphone and webcam access. “The General section is where you’ll be able to quickly change basic privacy settings-for example, you can choose whether to let apps access your name, photo and other account info; you can let Windows track your typing and give you word suggestions based on what you write, and you can allow websites to access your language list,” the report states. [CNET]

US – Cashing in on Privacy; Good Reps Mean “Halo Effect”

With the recent shift away from the mindset that consumers don’t care about privacy, tech firms, service providers and start-ups have begun to tout their privacy-protecting features or build entirely new models and businesses around them. Companies like AT&T and Google have introduced pay-for-privacy models, and start-up Abine masks emails, encrypts passwords and blocks trackers for a monthly fee. Meanwhile, a recent study has shown that companies with positive reputations “benefit from a ‘halo effect,’ even when they have been accused of wrongdoing. However … companies with good reputations are punished more severely than companies with weaker reputations when the evidence of their wrong doing is stacked against them.” [Quartz] [Meet the free encryption app that promises to put your privacy first: The Cryptocat developer’s new team aims to get easy file and message encryption into everyone’s hands, which could give Gmail and Dropbox (and the NSA) a run for their money.] | [Peerio is an encrypted messaging and file storage app for Windows, Mac, and the Chrome browsers that takes the likes of Gmail and Outlook, HipChat, and Dropbox to task. The app puts its users in the privacy driving seat, clearly marking for the lay user when something is encrypted.]


US – FTC Launching Data Security Initiative

Several FTC officials shared their views and concerns on recent developments in privacy, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. This Privacy Perspectives piece highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights.[Full StoryA three-judge panel has suggested the Federal Trade Commission should handle privacy cases in its own administrative court rather than in federal court. [The Wall Street Journal]

WW – Cyber-Threats Outpacing Security Pros

A study of more than 1,000 security professionals in the U.S., UK and Canada “paints a picture of mounting pressures on organisations due to a shortage of necessary specialist skills, tight budgets and poor employee education,” suggesting security pros are not able “to keep pace with cybersecurity threats” from both external and internal sources. [Reuters]

WW – NSS Labs’ Testing Service Will Hold Security Vendors Accountable

NSS Labs, an independent security testing company, has developed a testing service to see how security vendors stack up—including which real threats their products are blocking and which they’re not. The new offering from NSS Labs allows security officers to test products in real time through a service that does not sell security products. This kind of benchmarking is sure to shake up an industry that is loathe to admit it doesn’t catch everything. NSS Labs got a taste of that kind of backlash last year, after it released a test of various breach-detection systems, which found that FireEye, then the darling of the breach detection space, underperformed similar offerings from Cisco, General Dynamics and Trend Micro. NSS Labs actually issued a grade of “caution” to customers who used FireEye’s web and email malware protection systems. [The New York Times]

US – Wikipedia Sues NSA; CIA Tried to Break Apple Security

Online encyclopedia Wikipedia has announced it will sue the NSA for its bulk surveillance programs, arguing they threaten freedom of speech and violate the Fourth Amendment. “By tapping the backbone of the Internet, the NSA is straining the backbone of democracy,” said Wikimedia Foundation Executive Director Lila Tretikov, adding, “By violating our users’ privacy, the NSA is threatening the intellectual freedom that is central to people’s ability to create and understand knowledge.” [National Journal] See also: The Intercept reports on a multi-year effort by the CIA to break the security of Apple’s iPhones and iPads. [NSA sued by Wikimedia, rights groups over mass surveillance: Lawsuit claims NSA illegally taps ‘backbone’ of Internet making a potentially new front for rights activists against spy agency. The litigation takes on what is often called “upstream” collection because it happens along the so-called backbone of the Internet and away from individual users. Bulk collection there violates the constitution’s First Amendment, which protects freedom of speech and association, and the Fourth Amendment, which protects against unreasonable search and seizure, the lawsuit said.] | [Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance: When the 2013 public disclosures about the NSA’s activities revealed the vast scope of their programs, the Wikimedia community was rightfully alarmed. In 2014, the Wikimedia Foundation began conversations with the ACLU about the possibility of filing suit against the NSA and other defendants on behalf of the Foundation, its staff, and its users.] | [The case challenges the NSA’s use of upstream surveillance conducted under the authority of the 2008 Foreign Intelligence Surveillance Act Amendments Act (FAA). Upstream surveillance taps the internet’s “backbone” to capture communications with “non-U.S. persons.” The FAA authorizes the collection of these communications if they fall into the broad category of “foreign intelligence information” that includes nearly any information that could be construed as relating to national security or foreign affairs. The program casts a vast net, and as a result, captures communications that are not connected to any “target,” or may be entirely domestic. This includes communications by our users and staff.


ET – Ethiopian Government May be Using Spyware Against Journalists

The Ethiopian government is allegedly spying on Washington-area journalists who work for Ethiopian Satellite Television (ESAT) with spyware intended for use by law enforcement. ESAT computers were infected in 2013 when an employee opened what turned out to be a malicious file. That attack was likely aided by a tool from Italian company Hacking Team. A more recent incident revealed another attempt at such an attack. A spokesperson for the Hacking Team said the company cannot divulge clients’ identities or locations, and that it would take action if it learned that entities were misusing its products. [Washington Post]

Telecom / TV

EU – Dutch Court Strikes Down Data Retention Law

A Dutch district court has struck down a law that required telecommunications providers to retain customer data for six to 12 months. The law was initially enacted in 2009 to fulfill the EU directive on data retention, which the European Court of Justice struck down last spring. [ZDNet] In related news Bulgaria has also revoked its Data Retention law and the European Commission announced it will not be looking to introduce a new directive to require telcos “to store the communications data of European Union citizens for security purposes”. Of course individual member states may introduce their own national laws but there will be no requirement at the EU level to do so.

US – Former AT&T Biz Partners: Privacy Record Should Be Scrutinized

Dozens of former AT&T business partners have warned regulators that the company has a poor record on privacy, and increased scrutiny should be placed on its proposed $48.5 billion merger with DirecTV. The Minority Cellular Partners Coalition, which includes more than 90 former AT&T partners, has written to the Federal Communications Commission accusing the company of breaking the law by “voluntarily handing over data to the National Security Agency following the Sept. 11 terror attacks” without a court order. The coalition wants stronger privacy oversight of AT&T if the deal goes through. [U.S. News & World Reports]

CA – Internet Carriers May Be Breaching Canadian Privacy Laws

In privacy and transparency report, Teksavvy scores highest, Videotron and Shaw score low. The study looked at the information provided publicly by internet carriers in Canada about how they protect customers’ privacy and ranked them based on 10 criteria. In fact, “it appears that many Canadian internet carriers are in violation of their legal responsibilities” under Canadian privacy law, says the report entitled “Keeping Internet Users in the Know or in the Dark“ released by Toronto-area researchers. [Source]

WW – Android Lollipop 5.1 Brings Promised Anti-Theft “Kill Switch”

It’s the Android version of what’s known on the iPhone as Activation Lock or Find My iPhone. According to Secure Our Smartphones, the addition of the kill switch in iPhones running iOS 7 and iOS 8 has cut iPhone thefts dramatically in cities like San Francisco, New York and London – because, they say, would-be thieves have learned they can’t resell them. Although a remote lock-and-wipe feature is available on most Androids already, Device Protection promises to go beyond the Android Device Manager feature available on older versions. [Source]

US Government Programs

US – Survey: CTOs Concerned About Data Privacy, Security

The Consortium for School Networking (CoSN), which launched its Protecting Privacy in Connected Learning last year, has released its third K-12 IT Leadership Survey, and school technology leaders’ top concerns include the privacy and security of student data. “K-12 IT leaders are increasingly worried about the privacy and security of student data,” a CoSN press release states, noting 57% of respondents “said the issue is more important than it was last year.” Separately, Yale Law School has announced it is destroying student admissions evaluations and notations from the career development office “to avoid being forced to hand over a wide range of documents” amidst students’ Family Education Rights and Privacy Act requests for their files. [Full Story]

US Legislation

US – Senate Committee Approves CISA 14-1

By a vote of 14-1, the Senate Intelligence Committee “approved a controversial cybersecurity bill designed to help companies and the federal government better defend against the growing threat of data breaches.” The Cybersecurity Information Sharing Act (CISA) aims to help businesses and government thwart the threat of data breaches by expanding legal liability protections to companies sharing threat-detection data with each other and government agencies. CISA “is critically important both for our agencies that keep the country safe and the institutions that hold millions of Americans’ personal information,” said Sen. Richard Burr (R-NC). [CNet]

US – Senators Introduce Data Broker Legislation

Sens. Edward Markey (D-MA), Richard Blumenthal (D-CT) Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have reintroduced legislation requiring “accountability and transparency for data brokers who are collecting and selling personal and sensitive information about consumers.” The Data Broker Accountability and Transparency Act (S 668) would allow consumers “to order the companies to stop using, sharing or selling data about them for marketing purposes,” and includes provisions for the FTC “to write regulations setting up a centralized website for people to easily understand their rights and get information about the companies.” Consumer Watchdog has endorsed the bill, while the Direct Marketing Association is opposing it. [Full Story]

US – Virginia Limits Retention Time for License Plate Reader Data

Virginia’s governor has signed legislation that limits the length of time law enforcement in that state may retain license plate reader data to seven days. While New Hampshire has banned license plate data collection altogether and Maine has set a 21-day retention limit, many other states have set no formal limits. The Virginia law allows the data to be retained more than seven days if they pertain to an active and ongoing criminal investigation. The law takes effect July 1, 2015. [Ars Technica]

US – CA Senator Proposes State Chief Data Officer

California Sen. Richard Pan (D-Sacramento) wants to overhaul the state’s open data portal and create the role of a chief data officer reporting to the secretary of the Government Operations Agency as leader of the effort. Pan’s bill “would task the governor with naming a chief data officer no later than Jan. 1, 2016, and require at least 150 data sets to be published on the statewide open data portal by 2017,” the report states. The bill also seeks the creation of “a statewide open data roadmap” and calls for all data inventoried by state agencies to be published on the data portal by 2022. [Techwire]

US – MN Privacy Amendment One Step Closer to Voters

Minnesota House Government Operations and Elections Policy Committee has given HF 327, a bill seeking to give Minnesota voters “an opportunity to amend their state constitution in order to reject significant parts of mass surveillance programs by both state and federal government officials,” a recommendation of “do pass.” HF 327 would allow Minnesota voters the chance to amend the state constitution and add references to protecting “electronic and communications data” against “unreasonable searches and seizures.” The report notes the addition “would make emails, phone records, Internet records and other electronic information gathered without a warrant inadmissible in state court.” [TenthAmendment]

US – Illinois AG Pushing for Stricter Breach Notification Law

While Illinois already has a law on the books mandating data breach notification, dating from 2005, Attorney General Lisa Madigan has unveiled, with Sen. Daniel Biss (D-District 9) and Rep. Ann Williams (D-District 11), an updated law that would expand the type of information requiring notification to include medical information, geolocation data, marketing data and much more. The law would also require that companies take “reasonable” steps to protect data. The move comes “after 67 million personal records were hit last year,” the report states. [Full Story]

US – Other Legislative News


15-28 February 2015


WW – Breakthrough in Facial Recognition: The ‘Deep Dense Face Detector’

The technology has developed over the last 14 years, and the recent breakthrough coming out of the Yahoo/Stanford team is based on a new approach, springing from advances made recently in a type of machine learning known as a deep convolutional neural network. To train their neural net, Farfade and the other researchers created a database of 200,000 images, including faces at various angles and orientations, plus another 20 million images without faces. They then fed their neural net batches of 128 images at a time, over 50,000 iterations. The result is what the team calls the Deep Dense Face Detector: an algorithm that can spot faces set at a wide range of angles, even when partially occluded by other objects, such as the hands and head that are blocking Jolie’s face in the image. [Source]

WW – New Face-Detection Algorithm Could Revolutionize Search

A new face-detection algorithm could revolutionize image searches online. Traditional facial detection methods involved a head-on photo, but new methods dependent on deep convolutional neural networks can capture and detect faces from several different angles. The team of researchers who have developed the technology call it Deep Dense Face Detector. “The great promise of this kind of algorithm is in image search,” the report states, adding, “It is inevitable that this capability will be with us in the not-too-distant future.” Meanwhile, Built in Chicago reports on facial recognition technology developed by startup Verie. The app verifies an individual by using his or her face. The startup says such technology could be used to verify job applicants, lendees or potential dates. [MIT Technology Review]

WW – Neuro-Ethicist: Brain Data Must Be Protected

Technological advances “are making it easier than ever to measure, interpret and even reconstruct brain activity,” while the proliferation of wearables is creating “more ways to map our brainwaves than ever before,” and that means more opportunities for companies to mine that data. This presents an interesting question: Who owns brain data? Neuro-Ethicist Paul Roote Wolp recently stressed the importance of setting up ground rules to protect cognitive privacy. For example, functional magnetic resonance imaging (fMRI) is beginning to be used for lie detection, the report states, and “it’s not unreasonable to expect police and other actors to use cognitive data in the future” to determine innocence or guilt. [Gizmodo]


CA – Bill C-51: Support for Anti-Terror Legislation But With Additional Oversight

Nearly half of Canadians say draft law “strikes right balance”, fully one-third say it doesn’t go far enough. Four-in-five (82%) adult Canadians surveyed online by the Angus Reid Institute say they support the draft law, with fully one-quarter (25%) saying they “strongly” support C-51. Most Canadians (80%) profess to having at least heard about the legislation, and 4/5 respondents either strongly support (25%) or support (57%) Bill C-51. Opposition to the draft law stands at 17% in total, with just 5%  saying they are “strongly” against the legislation. [Angus Reid] [Why Stephen Harper’s terror bill is so popular] [National Post View: We need parliamentary debate on Bill C-51] [Mulcair won’t commit to scrapping anti-terror bill, if ever in power ] [“Total Information Awareness”: The Disastrous Privacy Consequences of Bill C-51] [Former justices, PMs express concern over lack of anti-terror oversight] [Former PMs call for more CSIS oversight as MPs debate anti-terror bill] [Bill C-51: Political battle lines drawn over anti-terror bill as election nears] [Anti-terror law shares information too easily, experts write ] [NDP will oppose ‘overreaching’ terrorism bill, while Liberals offer support] [Anti-terrorism bill’s powers could ensnare protesters, Elizabeth May, MP fears] [Anti-terror Act: Would new bill protect your financial information?] [Bill C-51 moves us one step closer to the end of privacy: Forcese, Roach]

CA – Open Letter to Parliament: Amend C-51 or Kill it

The following is an open letter addressed to all members of Parliament and signed by more than 100 Canadian professors of law and related disciplines.

Dear Members of Parliament,

Please accept this collective open letter as an expression of the signatories’ deep concern that Bill C-51 (which the government is calling the Anti-terrorism Act, 2015) is a dangerous piece of legislation in terms of its potential impacts on the rule of law, on constitutionally and internationally protected rights, and on the health of Canada’s democracy.

Beyond that, we note with concern that knowledgeable analysts have made cogent arguments not only that Bill C-51 may turn out to be ineffective in countering terrorism by virtue of what is omitted from the bill, but also that Bill C-51 could actually be counter-productive in that it could easily get in the way of effective policing, intelligence-gathering and prosecutorial activity. In this respect, we wish it to be clear that we are neither “extremists” (as the Prime Minister has recently labelled the Official Opposition for its resistance to Bill C-51) nor dismissive of the real threats to Canadians’ security that government and Parliament have a duty to protect. Rather, we believe that terrorism must be countered in ways that are fully consistent with core values (that include liberty, non-discrimination, and the rule of law), that are evidence-based, and that are likely to be effective.

The scope and implications of Bill C-51 are so extensive that it cannot be, and is not, the purpose of this letter to itemize every problem with the bill. Rather, the discussion below is an effort to reflect a basic consensus over some (and only some) of the leading concerns, all the while noting that any given signatory’s degree of concern may vary item by item. Also, the absence of a given matter from this letter is not meant to suggest it is not also a concern.

We are grateful for the service to informed public debate and public education provided, since Bill C-51 was tabled, by two highly respected law professors — Craig Forcese of the University of Ottawa and Kent Roach of the University of Toronto — who, combined, have great expertise in national security law at the intersection of constitutional law, criminal law, international law and other sub-disciplines. What follows — and we limit ourselves to five points — owes much to the background papers they have penned, as well as to insights from editorials in the media and speeches in the House of Commons. [Source] SEE ALSO: [Bill C-51 defies key rulings on security certificates, lawyers say Anti-terrorism bill muddies waters on disclosure rules for non-citizens] [Conrad Black: Alarm bells must ring in response to the government’s new anti-terror bill] [From opposition to retreat: Tom Mulcair and Bill C-51 ] [Conservatives extend anti-terror bill hearings after opposition filibuster] [Conservatives agree to more scrutiny of anti-terror bill after NDP filibuster][Bill C-51 threatens to sacrifice liberty for security] [National Post View: Why are the Tories determined to rush C-51 through committee?] [C-51: Conservatives demand limit on anti-terror bill expert testimony] [Fighting the evil within: The case for and against the Anti-Terrorism Act]

CA – CSE Monitors Millions of Canadian Emails to Government

CSE, under its mandate to protect federal government computer networks, vacuums up emails sent to and from the government and monitors website traffic, looking for malware and intrusions. Canada’s electronic spy agency watched visits to government websites and collected about 400,000 emails to the government every day, storing some of the data for years, according to the 2010 document. Today’s volume is likely much higher given online traffic growth. Common online activities involving the government include Canadians filing their taxes, writing to members of Parliament and applying for passports. The program to protect government servers from hackers, criminals and enemy states is raising questions about the breadth of the collection, the length of retention and how the information could be shared with police and spy partners in other countries. Public Safety Minister Steven Blaney may have a fight or, at least, a filibuster on his hands at the House public safety committee, which is slated to start reviewing the government’s proposed anti-terror legislation this week. A New Democrat-driven filibuster could delay the bill. [Critics question how long data is stored and what it’s used for ]

CA – Leaked Files Show Canadian Spy Agency Struggling With Flood Of Data.

Edward Snowden leaked documents to the CBC that reveal the massive amount of data Canada’s spy agency collects every day. CBC revealed the Communications Security Establishment in 2010 documents wanted a better computer system to deal with the 400,000 emails it collects every day. The emails are captured in a file format known as PCAP, which allows a government network administrator to record internet traffic in its entirety. The leaked files say the CSE is storing people’s messages on their servers for “days or months.” In one slide, a CSE employee says their servers can store up to 10 terabytes of emails a day — the equivalent of 2,128 DVDs. [Source]

CA – Spy Agency’s Review Group Can’t Perform ‘Oversight’ Role

During three days of lively debate in the Commons over the controversial anti-terror Bill C-51, Public Safety Minister Steven Blaney, Justice Minister Peter MacKay and other Conservative MPs have repeatedly characterized the Security Intelligence Review Committee (SIRC) as providing oversight of… the Canadian Security Intelligence Service (CSIS). Prime Minister Stephen Harper has done the same. Yet SIRC has no such mandate. “We review CSIS. We look at past activities,” to ensure they are lawful, appropriate and effective, SIRC’s Lindsay Jackson said. Recently the terms ‘oversight’ and ‘review’ have become almost interchangeable but they do actually mean separate things. Direct oversight implies a certain amount of involvement in the active political decision-making or the operational decision-making, and we are not involved in the operational decision-making,” at CSIS. [Source]

CA – Fed. P. Commish Urges Caution Over Sex Offender Registry

There is research that supports the view that laws that reduce the privacy of sex offenders makes rehabilitation and reintegration more difficult. Ultimately, this could increase the rate of recidivism. A publicly accessible database also creates a risk of vigilantism, as recognized on provincial dangerous offender websites such as the one in place in Alberta, and increases the risk that fears of being attacked or harassed will drive offenders underground. There is evidence that similar databases in the United States have led to the killing of sex offenders released in the community. [Appearance before the House of Commons Standing Committee on Justice and Human Rights (JUST) on Bill C-26, the Tougher Penalties for Child Predators Act ]

CA – Privacy Commissioners Issue Guidelines for Police on Body-Worn Cameras

Federal, provincial and territorial privacy and personal information protection Ombudspersons and Commissioners issued guidance on law enforcement and the use of body-worn cameras. The guidance notes that a Privacy Impact Assessment, which can help identify and mitigate the potential risks to privacy and personal information, is a highly recommended best practice before launching a body-worn camera program. As well, law enforcement agencies can consult with data protection experts and undertake a pilot project before deploying the cameras broadly. The privacy commissioners’ guidelines point to many concerns, including whether recordings will be made in private homes, if citizens will be informed they are being captured on video, and whether police forces will adequately protect private information caught on camera. Among their recommendations are that recordings be protected by safeguards, such as encryption and strict retention periods. They also suggest rules aimed at minimizing the recording of innocent citizens and innocuous interactions with the public [Press Release] [Source] [Guidance for the use of body-worn cameras by law enforcement authorities] [A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces [The Toronto Star].

CA – Digital Privacy Act, Committee Hears from Federal Privacy Commissioner

Commissioner Therrien told the committee most people — and especially children and recent immigrants — aren’t always able to understand the language used in statements of terms and conditions. That has given rise to questions about whether such “vulnerable people” — as they were referred to by the committee — can legally give consent to the collection of their information. “(S-4) has a potential of improving the definition of consent from children,” he said, noting his office has had to deal with privacy complaints involving children before and recommendations have been made to businesses to use plainer language in the service agreements. “To have this clearly in legislation, that you must think about your clientele, would be useful.” [Source] A new plan out of Ottawa would boost information-sharing between Canadian immigration and border enforcement officials, Employment Canada, Revenue Canada, the RCMP and provinces, [The Toronto Star].

CA – B.C. Should ‘Aggressively Pursue’ Body-Worn Cameras for Police

“Members concluded by strongly supporting the use of body-worn cameras in B.C., and calling on government in the consultation with police and non-police stakeholders to aggressively pursue the steps necessary to implement the use of body-worn cameras by B.C. police members,” the report reads. [Metro News]


US – Consumer Awareness of AdChoices Up, Concerns About Targeted Ads

A new study conducted by Ipsos on behalf of TRUSTe has found that 68% of smartphone users are concerned about being served targeted ads, but consumer awareness of the AdChoices program is up 16% from last year. “Our research shows that the majority of Americans are still uneasy about having their online activity tracked for use in targeted ads, mainly because they feel like they have limited control,” said TRUSTe CEO Chris Babel. “The good news is that awareness of the AdChoices icon … has risen substantially and continues to have the potential for positive impact on consumer attitudes.” [Full Story]

US – DAA Launches Two Privacy Control Tools for Consumers

The Digital Advertising Alliance (DAA) has launched two new tools to help consumers locate and opt out of behavioral advertising. “AppChoices” and “DAA Consumer Choice Page for Mobile Web“ intend to increase transparency and choice for online users. The DAA is offering AppChoices on Google Play, the Apple App Store and the Amazon Store. “Our new mobile choice tools deliver the same reliable, independently enforced, privacy-control experience where consumers and brands engage, both across the Internet and on the go,” said DAA Executive Director Lou Mastria. [Source]


WW – How Would Your Company Rate for Email Security?

The best industry for email security? Social media. The worst? Healthcare. Such are the findings of a survey conducted by Agari, which assessed the security of 147 businesses’ email communications, judging them on how they employ the three major email security protocols: Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication, Reporting and Conformance. As many of the world’s largest data breaches were reportedly the result of a targeted phishing attack, email security is becoming an important front line in the cybersecurity battle. [Fortune]

CA – CRTC Levies 1.1M Spam Fine

nNovation Partner Shaun Brown discusses the Canadian Radio-television and Telecommunications Commission announcement of its first Notice of Violation under Canada’s Anti-Spam Legislation, including a $1.1 million penalty.


UK – Alleged Cyber Criminal Will Not Give Up Encryption Keys

A British man accused of breaching systems at NASA, the FBI, and the US Federal Reserve is refusing to surrender cryptographic keys that would allow authorities in the UK to access devices seized after his October 2013 arrest. Lauri Love is facing charges in three federal districts in the US. He is planning to petition a UK court to compel the National Crime Agency (NCA) to return the computers and data storage devices. [Ars Technica] [BBC]

WW – New Level of Encryption Boosts Browsing Privacy

CloudFlare is deploying a new level of encryption to improve the security, privacy and speed of its websites. ChaCha20-Poly1305, as it’s called, was formerly used only by Google, but all CloudFlare websites now support the new algorithm, the report states. At the moment, about 10% of CloudFlare HTTPS website connections are using it. The algorithm also protects TLS against cyber-attackers inserting fake messages into secure streams. [ZDNet]

EU Developments

EU – Italian DPA to Audit Google on U.S. Soil

Google will be the subject of regular checks by the Italian Data Protection Authority (DPA) to monitor the status of its actions to bring its platform into line with domestic legislation. Italy’s DPA approved the verification protocol referred to in its order of July 2014 to Mountain View. The protocol envisages quarterly updates on progress status and empowers the DPA to carry out on-the-spot checks at Google’s U.S. headquarters to verify whether the measures being implemented are in compliance with Italian law. Is allowing a DPA onto foreign soil for spot checks a sovereignty issue? Without commenting on the Google case specifically, Hunton & Williams’ Lisa Sotto wondered “how welcome the FTC would be if the commission sought to audit Banca d’Italia in Rome. Of course, companies can voluntarily agree to DPA visits, but there certainly would be significant and complex jurisdictional questions should a foreign DPA seek to compel an audit in another country without the agreement of the company.” [Full Story]

EU – Report: Facebook Privacy Policy Still Violates EU Law

A report from the Belgian Privacy Commission says Facebook is acting in violation of European law, despite updating its privacy policy. The study, which was conducted by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium, found Facebook’s privacy policy update last month “only expanded older policy and practices” and still violates EU consumer protection law. The authors said Facebook’s policies on profiling for third-party advertising don’t meet the requirements for legally valid consent and the social network “fails to offer adequate control mechanisms” for the use of user-generated content for commercial purposes. [The Guardian] [WSJ: The Sharpest Jabs From the Facebook Privacy Report] The 61-page “critical analysis” of Facebook’s revised policies says the social network fools its users into thinking they have more control over data and privacy than they actually do. Facebook says it has made its rules clearer and that it is confident it complies with all laws.

UK – ICO Fines Travel Insurance Company Over Breach

The UK Information Commissioner’s Office (ICO) has fined travel insurance company Staysure GBP 175,000 (US $270,000) for lax website security that resulted in 100,000 payment cards being compromised. Of those, about 5,000 were used fraudulently. The breach occurred in October 2013. The ICO’s ensuing investigation focused on Staysure’s lack of effective IT update policies in place at the time. Staysure says it has improved its security posture. []

EU – New EU Privacy Rules to Allow Challenges to Irish Regulator

Under a “one-stop-shop” mechanism initially proposed in reforms of EU data protection laws, businesses operating across the 28-nation bloc would only have had to deal with the data protection authority in the country where they are headquartered or have their main European base – even if the alleged mishandling of data affects citizens in another country. But opposition from some member states that do not want their national regulators to lose policing powers over multinationals such as Google, with an Irish base, led to the proposal being altered so that any “concerned” authority could object to a decision. …A majority of member states agreed to scrap an option requiring at least a third of concerned authorities to object, diplomats said, potentially giving a single “concerned” authority the right to complain. [Source]

EU – Regulation May Be Moving Away from One-Stop-Shop Mechanism

“Ireland will not retain sole control over privacy disputes involving companies such as Facebook and Apple under new rules agreed allowing any of its European peers to challenge Irish rulings.” Had a proposed one-stop-shop mechanism been approved, businesses operating in the EU would only have dealt with the regulator where they have they primary European base. But, according to anonymous sources, member states that did not want their regulators to lose policing powers over multinationals pushed for a change allowing any concerned authority to object to a decision, triggering the intervention of the still-to-come European Data Protection Board, the report states. Ministers still have to sign off on Wednesday’s decision when they meet next month. General Data Protection Regulation may be moving away from a one-stop-shop mechanism]

US – U.S. Companies Better Work Harder at Data Protection

European Commissioner for Digital Economy and Society Günther Oettinger said the EU should create a single law to protect its citizens’ data from Facebook and Google. “Americans are in the lead. They have the data, the business models and the power,” Oettinger said. “They come along with their electronic vacuum cleaner and suck up all the data, take it back to California, process it and sell it as a service for money,” Oettinger said. He warned tech giants must do more to comply with the EU’s strict data protection rules or face being “thrown out of the single market.” [USA Today]

UK – First Data the First With Double BCRs Through ICO

U.S.-based First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007, back when the process was young and still evolving. This month, the UK Information Commissioner’s Office (ICO) officially recognized the multinational payment solutions company’s BCRs for data processors. Now able to boast that it’s been approved for both processors and controllers, First Data is also the first company to have done so under the purview of the ICO. [Full Story]

EU – The European Union and State Secrets:

Many LIBE members have considered this statement quite appalling because it allowed the US authorities to be the arbiters of whether or not the Ombudsman may exercise her statutory, democratic power to inspect the document at issue in conformity with EU law. It is worth recalling that art. 3 par. 2 of the Ombusdman statute states that: “The Community institutions and bodies shall be obliged to supply the Ombudsman with any information he has requested from them and give him access to the files concerned. Access to classified information or documents, in particular to sensitive documents within the meaning of Article 9 of Regulation (EC) No 1049/2001, shall be subject to compliance with the rules on security of the Community institution or body concerned.” [Source] IT World: Citing “leaked documents,” civil liberties groups are warning that the EU’s proposed data protection reform is “badly broken.”

Facts & Stats

US – Breach Detection Time is Decreasing

According to FireEye, the time it takes for breaches to be detected is dropping. The median time for breach detection was 205 days in 2014, down from 229 days in 2013 and 243 days in 2012. Less than one-third of breaches were detected by the organizations themselves. The FBI has been notifying companies of activity suggesting that their systems have been compromised. [eWeek]

WW – Cyber Attack Risk Requires $1 Billion Insurance Coverage, Per Company

Companies will need as much as $1bn in cyber insurance coverage as the costs of hacking attacks mount, but some businesses are struggling to secure even a tenth of that. US retailer Target said in November that the price tag for the data breach that affected up to 110m of its customers had reached $248m. []


US – Reddit Privacy Policy Bans Involuntary Pornography

Reddit has announced new changes to its privacy policy to help curb so-called revenge porn posts. Moving forward, the posting of images or videos of individuals “in a state of nudity or engaged in any act of sexual conduct” will require prior consent from the individuals in the images. “We also recognize that violent personalized images are a form of harassment that we do not tolerate, and we will remove them when notified,” team Reddit wrote. Meanwhile, Craig Brittain, whose revenge porn website was ordered shut down by the U.S. Federal Trade Commission (FTC), is demanding that Google remove search links and any of his “identity-related information” tied to news accounts of the FTC’s actions. [The Washington Post]


US – TurboTax Blocks Filing of State Returns Not Linked to Federal Returns

TurboTax maker Intuit attributes the recent spike in fraudulent electronic state tax returns to the US Internal Revenue Service’s (IRS’s) improved detection of fraudulent returns at the federal level. TurboTax suspended state tax filings earlier in February because of the high number of reports of fraud; some states have seen a rise in fraudulent tax returns of 3,700 percent. While the IRS has been sharing information about fraudulent returns with state revenue departments, in all but four states, residents may file “unlinked” state returns, meaning they may file a state return without filing a federal return at the same time. TurboTax now blocks users from filing unlinked returns with its software. [Krebs]


WW – Citizenfour Wins Oscar for Best Documentary

A film on Edward Snowden’s efforts to disclose NSA spy programs won an Academy Award last night for Best Documentary. Laura Poitras was present with a camera when Snowden first met investigative journalist Glenn Greenwald and others and documented the tense days leading up to the release to the media of NSA programs such as PRISM and Snowden’s attempts to find asylum. Poitras, together with Greenwald, Mathilde Bonnefoy, Dirk Wilutzky and Laura Mills—Snowden’s girlfriend—accepted the award Sunday night. Snowden released a statement congratulating Poitras for the win. [Full Story]


US – Police Generate Facial Characteristics from Crime Scene DNA

Technology allows crime scene investigators to generate digital facial sketches of suspects from crime scene DNA. Investigators in South Carolina released the digital sketch last month, and according to the report, “It may be the first time a suspect’s face has been put before the public in this way, but it will not be the last.” Additionally, future projects aim to match faces generated from DNA to mug shots in databases. “This is another of these areas where the technology is ahead of the popular debate and discussion,” said New York University Prof. Erin Murphy. [The New York Times]

US – 23andMe Names Kate Black as CPO

Personal genetics company 23andMe has appointed IAPP member Kate Black its privacy officer and corporate counsel. Prior to joining 23andMe, Black worked for the Office of the National Coordinator for Health Information Technology at the Department of Health and Human Services, and she’s served as health privacy counsel for the Center for Democracy & Technology. “The potential impact that 23andMe can have on both individual health and the entire healthcare industry is profound,” Black said. “In appropriately leveraging the 23andMe database, we can significantly advance healthcare delivery, but we will not succeed unless we approach it with the utmost concern about protecting customer privacy and building customer trust.” [Source]

Health / Medical

CA – Patients Can Sue Hospitals for Invasion of Privacy, Appeal Court Rules

The ruling upheld an earlier decision that said the province’s health privacy laws do not bar patients from seeking legal action against hospitals if their privacy is breached. This week’s ruling could have sweeping implications for the province’s 155 hospitals as it has given the green light to a multimillion-dollar privacy class action launched against Peterborough Regional Health Centre. [Source]

US – Study Finds Many Health-Related Searches Are Being Tracked

According to the Pew Internet Project, 72% of U.S. Internet users look up health-related information online, but “an astonishing number of the pages we visit to learn about private health concerns-confidentially, we assume-are tracking our queries.” In 2014, a researcher at the University of Pennsylvania created software to analyze the top 50 search results for nearly 2,000 common diseases and found 91% of the pages were “passing your request for information about the disease along to one or more (and often many, many more) other corporations.” About 70% of the time, data transmitted “contained information exposing specific conditions, treatments and diseases,” the report states. [Motherboard] [Study questions claims that browsing data is anonymous] [How 9/10 Healthcare Pages Leak Private Data]

US – Medical Identity Theft on the Rise

According to a study from the Ponemon Institute, medical identity theft increased by 22% in 2014. An estimated 2.3 million adults in the US and their close family members have had their medical information stolen. The study does not include data from the Anthem breach, which was only recently disclosed. [NBC News]

US – In LabMD FTC Trial, Judge Allows Some Congressional Evidence

The latest developments in the FTC data security case against LabMD include an administrative judge ruling that allows consideration of two letters from the U.S. House Committee on Oversight and Government Reform . Both letters were sent to FTC Chairwoman Edith Ramirez, and in one, findings from a congressional investigation raise questions about the role security firm Tiversa played in the case. LabMD’s position is that Tiversa caused the breach so that it could charge LabMD to repair the damage. Tiversa CEO Robert Boback said, “Frankly, the trial is between FTC and LabMD and should not even include Tiversa,” adding, “In my opinion, LabMD and/or its counsel has gone to great lengths to try to drag Tiversa into this while impugning our character and reputation.” The FTC administrative hearing is set for March 3. [Healthcare Info Security]

US – Despite Significant Breaches, Subsequent Fines Are Few

While regulators say they’re cracking down on insurers, hospitals and doctors’ offices that don’t adequately protect the security and privacy of medical records, the data on enforcement tells a different story. Since October 2009, healthcare organizations have reported more than 1,140 large breaches affecting more than 41 million people to the Office for Civil Rights (OCR). In addition, 120,000 smaller breaches have been reported. The OCR has the authority to fine organizations up to $1.5 million per violation, but some say the agency isn’t flexing its muscles enough. It took the OCR five years, for example, to fine Parkview Health System $800,000 for its breach. Adam Greene, a former OCR official, said the office is “overwhelmed.” [ProPublica]

Horror Stories

US – Target Breach Cost $162 Million; Sony Fights for Coverage

Target has announced the total cost of the massive data breach that hit its systems late in 2013 has reached $162 million. Target said the number would have been higher if it did not have cyber-insurance coverage. In separate news, Sony has asked a New York state appeals court to reverse a “landmark” ruling that freed several insurance companies from covering the Sony PlayStation breach from 2011. []

WW – Gemalto Admits Breach, Says SIM-card Encryption Keys Not Stolen

SIM-card maker Gemalto says that it appears that US and UK intelligence agencies did breach its systems, but denies that the cards’ encryption keys were stolen. Gemalto says that after looking at the information released in the document, it is likely that two attacks that occurred in 2010 and 2011 were the work of the intelligence agencies. Gemalto says those attacks penetrated only portions of its networks that do not contain cryptographic keys information. [WIRED] [BBC]

US – Gemalto Shares Findings of NSA, GCHQ Hacking Investigation

Following recent news that the U.S. NSA and the UK Government Communications Headquarters (GCHQ) infiltrated and stole the encryption keys of the world’s largest SIM card manufacturer, Gemalto has released its findings of the incident. According to a Gemalto press release, the company has “reasonable grounds to believe that an operation by NSA and GCHQ probably happened,” but the hack was limited to office networks “and could not have resulted in a massive theft of SIM encryption keys.” Additionally, “intelligence services would only be able to spy on communications on second generation 2G mobile networks” and that 3G and 4G networks “are not vulnerable to this type of attack.” [Full Story]

US – LinkedIn Settles Password Security Class-Action

LinkedIn has settled a class-action lawsuit alleging it falsely assured 800,000 users who paid for its premium service that it had strong security measures to protect their personal information. In June 2012, a file containing 6.5 million encoded LinkedIn user passwords was posted on a Russian hacker site, and because the passwords were protected with a weak form of security, hackers could easily decode them. While there was no indication the breach affected the LinkedIn users who were paying a subscription fee for extra services, the users said the company deceived them about its level of Internet security, the report states. The settlement fund is for $1.25 million. [The New York Times]

US – Judge May Side With Hulu in VPPA Case

In a potentially precedent-setting case , U.S. Magistrate Judge Laurel Beeler said at a hearing that she will likely side with online streaming service Hulu in a case that claims the company violated the Video Privacy Protection Act (VPPA). Referencing the case involving Judge Robert Bork’s video rental history following his Supreme Court nomination, Beeler said, “It just doesn’t feel like the Bork transmission of personal information.” Plaintiff counsel Scott Kamber countered by saying, “We believe strongly that if this case does not show knowledge in the situation, that one cannot make a reasonable inference of knowledge from documents presented to the court there can never be a VPPA violation in the realm of the Internet … That may sound bombastic, but I think there is clearly a Judge Bork disclosure here.” [Courthouse News Service] [History][US Courts Continue To Find That Unique Device Identifiers Are Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA)  ]

WW – Lenovo Under Fire for Default Adware Installation

Security researchers uncovered software preinstalled on Lenovo computers that injects advertising into websites on browsers and installs a self-generated root certificate that essentially acts as a man-in-the-middle attack to create ads on encrypted HTTPS websites. An array of information security experts see the Superfish adware as “a weakness that hackers could potentially use to steal sensitive data like banking credentials or just observe your web surfing activities.” The Superfish software has been shipping on Lenovo computers since mid-2014 and by January of this year, Lenovo said it was removing Superfish due to unspecified “issues.” A Lenovo representative said the company is “thoroughly investigating all and any new concerns raised regarding Superfish.” [PC World]

WW – Lenovo Laptops Shipped with Adware and Persistent Vulnerability

Lenovo has been shipping laptops loaded with Superfish, adware designed to steal Internet traffic. Superfish is designed to “help users find and discover products visually.” It also injects ads into web pages. Superfish hijacks encrypted web sessions, and could easily be misused to conduct man-in-the-middle attacks. Lenovo has stopped including Superfish on its new machines. [Ars Technica] [Forbes] [ZDNet] [BBC] [The Register] [Lenovo]

WW — Lenovo Releases Superfish Removal Tool

Lenovo has released a tool that removes the malicious adware known as Superfish that cane pre-installed on some of its laptops. Lenovo also says it is working with McAfee and Microsoft to automatically quarantine or remove Superfish and the certificate from computers of users who do not know about the issue. McAfee and Microsoft products come factory installed on Lenovo devices; the security community has been calling on Lenovo and others to stop the practice of adding “bloatware.” [ComputerWorld] []

WW – Fallout from Lenovo Adware Installation Continues

The security community remains up in arms about Lenovo’s decision to install Superfish software—essentially undermining HTTPS encryption without the user knowing—into a commercial line of its computers. In a column for Slate, David Auerbach railed against the company, saying it “betrayed its customers and sold out their security.” Security researcher Marc Rogers said the move is “quite possibly the single worst thing I have seen a manufacturer do to its customer base.” In a blog post, Center for Democracy & Technology’s Justin Brookman wrote , “The law is far from settled, but I believe that absent very clear disclosure to users, breaking encryption likely violates—at the very least—consumer protection law that prohibits deceptive and unfair business practices.” [Full Story]

WW – Mozilla Updates Firefox to Remove Superfish Certificate

A Firefox update released on Friday, February 27, scrubs the Superfish self-signed certificate from the browser. Mozilla released the hotfix to detect whether Superfish has been removed from browsers; if it has been removed, the certificate is removed as well. If Superfish is still installed, the certificate is left in place, as removing it would prevent users from accessing HTTPS websites. [ComputerWorld]

US – Revenge Porn “King” Gets Jail Sentence

Prof. Danielle Citron reports on the latest in the trial against so-called revenge porn “king” Hunter Moore and how he will face jail time for his role illicitly obtaining and posting nude photos of women without their consent. On Wednesday, Moore entered into a plea agreement with the U.S. Attorney’s Office of the Central District of California, which includes aiding and abetting hacking and aggravated identity theft. “Unless he backs out of his guilty plea,” Citron notes, “Moore is going to serve jail time.” He is next expected in court on February 25, while his co-defendant is set to go to trial in March. [Forbes]

US – Uber Reports Breach Affecting 50,000 Drivers

Uber has reported it discovered one of its databases had a point-of-entry for unauthorized users. A “one-time unauthorized access to an Uber database by a third party” occurred on May 13, 2014, the company said in a statement last week. The database contained driver names and license numbers. The breach impacted approximately 50,000 drivers across multiple states, according to Uber’s managing counsel of data privacy, who added Uber hasn’t received any reports of identity theft. The company is alerting affected drivers and offering them one year of identity monitoring and has filed a “John Doe” lawsuit in an effort to reveal the responsible party. [Ars Technica] [ZDNet] [ComputerWorld] [SC Magazine] [Uber Statement]

US – Police Pay Ransomware Demand in Bitcoins

A suburban Chicago police department paid US $500 in bitcoins to cyber criminals who locked up the department’s computer system with ransomware. Last month, someone in the department opened an email containing Cryptoware malware. [Ars Technica]

EU – Dutch Semi-Conductor Company Admits Breach

Dutch computer chip company ASML has acknowledged that its systems were breached. According to a statement, ASML detected the breach shortly after it occurred. [The Register] [Dutch News]

US – Anthem Says Database Breach Affected 78.8 Million Records

Anthem now says that the breach of its database affected 78.8 million records. Of those, 14 million are incomplete, meaning they lack sufficient information to link them to members. [ComputerWorld] [Numbers broken down by state based on information available]

US – Anthem Breach Affected Some Non-Anthem Customers

The Anthem data security breach reportedly affected some US federal employees who were not Anthem customers. Anthem has not said how many federal employees were affected by the breach. [NextGov]

US – FBI is Close to Identifying Anthem Attack Culprit

The FBI says that it is “close” to identifying the parties responsible for the Anthem breach, but will not disclose the information until it is “absolutely sure.” [ZDNet] [Bloomberg] [The Hill]

US – National Archives Breached

Meanwhile, law enforcement is investigating a potential intrusion into the National Archives. According to The Hill , “A data breach at the National Archives could endanger the personal information of former high-ranking administration officials and family members of former presidents.”

Identity Issues

WW – El Emam Disputes the Shopping Mall Re-identification Study

Science magazine recently dedicated an entire issue to the alleged “death of privacy” and included a study on the re-identification of shoppers who made credit card purchases. One of the study’s key conclusions is that by using only four transactions, 90% of the 1.1 million individuals studied could be re-identified. “This conclusion has then been repeated uncritically by the science and general media communities,” writes Privacy Analytics CEO Khaled El Emam. In this post for Privacy Tech, El Emam critiques the researchers’ conclusions to make the case for a responsible data sharing future. [Full Story]

UK – Scottish Plans for Central Identity Database Spark Privacy Criticism

Campaigners alarmed after ministers quietly publish plans they say echo doomed ID card scheme. Critics claim the plans for the wholesale use in Scotland of the unique citizen reference number (UCRN) were extremely similar to the national ID card proposals by the UK Labour government, which were dropped on privacy and civil rights grounds after the coalition took office in 2010. … The Scottish Council for Voluntary Organisations (SCVO), the umbrella group for Scotland’s charities, said it would be pressing the first minister, Nicola Sturgeon, to abandon the proposals. It raised the very real risk of a massive data breach if an official lost a laptop or a database was hacked, undermining trust in public services, said Ruchir Shah, SCVO’s head of policy and research. [Source]

Internet / WWW

WW – New CAPTCHA Alternative Could Hurt User Privacy

A new alternative to CAPTCHAs, an anti-SPAM log-in to prove a user is not a robot, may collect personal information from its users. In December, Google launched the “No Captcha ReCAPTCHA” to verify a human user by analyzing behavior of the mouse’s movement and the way a user types. Device recognition company AdTruth, however, claims it has evidence the new service collects more information than mouse coordinates and has the potential to share user behavior with advertisers. According to the report, the new program collects personally identifiable information. [Business Insider]


US – Company Using Drones to Track Cell Location for Ads

One company is flying small drones over the San Fernando Valley in Los Angeles, CA, in order to determine cell-phone locations for targeted advertising. The small, unmanned aerial vehicles apparently are determining cell-phone location by “WiFi and cellular transmission signals.” The move is part of an experiment by Singapore-based location-marketing firm Adnear. Smriti Kataria, Adnear’s director of marketing and research, said the devices do not collect conversations or personally identifiable information but rather use cell-phone triangulation and signal strength to determine location. According to the report, “A mobile user needs to have an app open that is transmitting via cellular or WiFi for this mapping to occur.” [VentureBeat]

US – First Lady’s Location Leaked Via Instagram Feed

First Lady Michelle Obama’s Instagram feed is leaking details about her location or that of her staff. The account’s manager has opted into also sharing their location, and that data can reveal details right down to the building “where someone was located when they uploaded a picture to the service.” A picture of a Christmas tree coming into the White House was posted from outside of Allentown, PA, for example. “Politicians’ locations when they post Instagram pictures became an item of interest after the Press this week found that Rep. Aaron Schock (R-IL) was using taxpayer and campaign money to fly on private jets by examining the locations leaked through his Instagram account,” the report states. [The Hill]

US – How Journalists Use Time, Location in Public Posts to Get Stories

Investigative journalism publications use public posts on Instagram to find leads for stories. In one such story, a reporter wrote about a weekend getaway attended by new House Financial Services Committee Chairman Jeb Hensarling (R-TX) and banking industry officials. The reporter found out who was attending the getaway by using one banking lobbyist’s public Instagram post and looking at the time and location. Though Instagram has no search function, it does have an application programming interface with a “Media Search” endpoint “that returns data both by timeframe and distance from a certain latitude and longitude,” the report states. [ProPublica]


HK – Hong Kong Puts Restrictions on Cross-Border Transfers

Taking a step closer to following the EU restrictions on oversees data transfers, the Hong Kong Privacy Commissioner for Personal Data recently issued “Guidance on Personal Data Protection in Cross-border Data Transfer.” While the guidance doesn’t impose any new limitations or obligations on personal data transfers out of Hong Kong, it appears to be a harbinger of transfer restrictions coming into force in the near future, report Dana Post and Victoria White in this exclusive for The Privacy Advisor. [Full Story]

BR – Draft Bill for a Personal Data Protection Law

The Ministry of Justice of Brazil recently opened two public consultations, one on the Marco Civil da Internet and the other on the Draft Bill for a Personal Data Protection Law (APL). Gustavo Artese offers an outline of the draft APL presented, saying, “much of the protection regime foreseen by the APL has been inspired by … the EU proposed regulation.” Similarities occur specifically in its definition of personally identifiable information, the rights of data subjects and the principles of data processing. Uncertainties remain, however, “as to whether a supervisory authority will be created.” [Full Story]

Online Privacy

WW – Chrome Will Warn Users When They Try to Visit Sketchy Sites

Google’s Chrome browser will warn users when they try to visit sites that may harm their computers through surreptitiously changing the browser’s home page or placing certain ads on pages. The warning will appear before the domain is displayed. Google is also taking steps to minimize the presence of deceptive sites in search results. [The Register] [ComputerWorld]

US – NAI: No One Should Be Outed By Ads

While court decisions and legislation have produced significant gains for the lesbian, gay, bisexual and transgendered (LGBT) community, prejudices remain and, too often, the LGBT community is “confronted with serious discrimination,” Network Advertising Initiative (NAI) President and CEO Marc Groman, writes in this post for Privacy Perspectives . He notes the NAI’s update to its Self-Regulatory Code of Conduct in 2013 included the addition of sexual orientation as sensitive information, prohibiting NAI members from creating audience segments or interest categories for interest-based advertising “based on an individual’s status or perceived status as LGBT without obtaining opt-in consent.” Groman writes that “this practice was the right thing to do for consumer trust and privacy … This is how self-regulation is supposed to work.” [Full Story] [NAI Appoints Leigh Freund New President and CEO]

US – Can Intellectual Privacy Survive in the Digital Age?

Evan Selinger talks to Washington University Prof. Neil Richards about his new book, Intellectual Privacy: Rethinking Civil Liberties in the Digital Age. Richards says intellectual privacy “is about needing to have protections from being watched and interfered with when we’re making up our minds about the world-when we’re reading, surfing the web, talking on the phone and sending email to confidants.” Richards adds our intellectual property and, therefore, our free society are currently being threatened because “companies and the government have so much control over our intimate information that people live in a state of perpetual uncertainty and sometimes fear.” [The Christian Science Monitor]

US – Koppie Koppie Puts Your Child’s Photo Up for Sale

In a translated post for, Dimitri Tokmetzis discusses an experiment conducted with designer Yuri Veerman called Koppie Koppie. The online store sells mugs with photos of children Tokmetzis and Veerman legally collected off Flickr. They put the images on coffee mugs and then sell them in their store, Koppie Koppie. “Aren’t we violating the privacy of these children and their families by commercializing these intimate family moments?” Tokmetzis asks, adding, “We share your concern.” He describes three ways people’s privacy is being violated by their commercial venture, including the lack of user control over personal information, lack of confidentiality and lack of privacy in context. [Medium] [Koppie Koppie sells photos of your kids to prove you shouldn’t post them online]

US – Spotify Log-In Requirements Mean “Enormous” Data Insights

At a recent conference in California, Spotify’s Brian Benedik discussed the amount of data the company collects on its users. Because of its requirement that every user, paying or non-paying, sign in to use the service, the company collects an “enormous amount of data on what people are listening to, where and in what context. It really gives us an insight into what these people are doing,” Benedik said. Because users register both directly through the site and via Facebook logins, Spotify knows a lot about users’ age, gender and location, he added. [Full Story]

US – Behind the Scenes With the New DAA AppChoices Program

The Digital Advertising Alliance has announced an extension of its AdChoices program beyond the desktop. AppChoices, an app consumers can download (with an attendant web page), allows consumers, for example, to choose not to allow advertisers to target them based on their location on mobile devices like phones and tablets. Now, why would a company like xAd, whose very business model involves targeting consumers by location, want to participate in such a program? [FPrivacy Advisor]

US – Case Against Pandora’s Facebook Integration Could Go to Highest Court

Michigan resident Peter Deacon is appealing a 2012 ruling issued by U.S. District Court Judge Saundra Brown Armstrong dismissing his potential class-action lawsuit against Pandora. In 2011, Deacon alleged Pandora’s integration with Facebook violated Michigan’s Video Rental Privacy Act, which prohibits companies that rent, lend or sell music from disclosing customers’ identities without their consent. A lawyer for Deacon told an appeals court this week that the pro-Pandora decision “guts the protections” lawmakers intended for consumers. Some of the judges’ questions in court suggest the matter could be sent to the Michigan Supreme Court, the report states. [MediaPost ]

Other Jurisdictions

Privacy (US)

US – White House Releases Draft of Consumer Privacy Bill

Companies are also required to take “reasonable steps” to mitigate privacy risks and make them clear to users, and the FTC will need to establish rules for privacy reviews. If a company violates the terms of the act, it’s subject to lawsuits from the FTC, users, and state attorneys general. The bill creates exemptions for small operators, including people who process data for 10,000 or fewer people a year or have no more than five employees, which the White House says can ease the burden for small businesses. [The Verge] [Initial Thoughts on Obama Administration’s “Privacy Bill of Rights” Proposal]

US – Court Case Could Set Precedent on Breach Coverage

An upcoming decision from the Connecticut Supreme Court could set a new precedent for data breach insurance coverage litigation. The case involves a dispute over the exposed sensitive personal information of 500,000 IBM employees. An appellate court had ruled to nix the coverage of more than $6 million in losses in a 2007 data breach incident. According to the report, the high court is expected to rule on what constitutes a “publication” that triggers data breach coverage with data that is compromised, effectively “reshaping” how such cases are litigated. [Law360]

US – FTC Eyes Privacy Issues in Merger Reviews

The head of the FTC Bureau of Competition has said the agency could expand its coverage of merger reviews to include privacy issues. The expansion is seen, in part, as a result of companies competing on privacy. FTC Bureau of Competition Director Deborah L. Feinstein made the remarks at a conference held by BakerHostetler. “Privacy could be a form of non-price competition important to customers,” Feinstein said. [Law360]

US – YouTube Kids Could Raise COPPA Questions;

Google has announced the much-anticipated release of a child-friendly YouTube service, YouTube Kids, reports. “The app will no doubt be analyzed for its safety, and-as with any issue regarding children and the Internet-it calls up issues of compliance with the Children’s Online Privacy Protection Act,” the report states. [Inside Counsel]

US – Plaintiffs Appeal Decision

Representatives of a group of young children are appealing a judge’s decision to dismiss a lawsuit accusing Google and Viacom of violating a federal video privacy law. The suit “centers on allegations that Viacom allows Google to set tracking cookies on the kids’ site,” the report states.

US – Clapper v. Amnesty International’s Impact on the Harm Threshold

“Amid the storm of cybersecurity incidents in the last year, plaintiffs still face an uphill battle convincing courts that they suffered actual-and not hypothetical-harm from data breaches,” Cheryl Howard and Dana Post write. “In several recent decisions, however, courts have found that plaintiffs alleging future harm had adequately pleaded Article III standing, giving renewed vigor to data breach cases.” Howard and Post consider the Supreme Court’s 2013 ruling in Clapper v. Amnesty International—that Article III standing requires threatened injury must “be certainly impending to constitute an injury in fact”-and the case’s implications. [Full Story]

US – CDT Launches Breach Notification Multi-Stakeholder Effort

CDT has announced it is launching a multi-stakeholder effort to find innovative solutions to data breach issues. The Common Ground Data Breach Forum will first meet on March 17 and brings together leaders from the CDT’s Internet Privacy Working Group and the Digital Privacy & Security Working Group. The announcement comes a week after the CDT and law firm Jones Day brought together representatives from government, industry and nonprofit organizations. [Full Story]

US – Judges, FTC Commissioners to Discuss Section 5 Use

BakerHostetler will host current and former commissioners from the FTC and decision-makers from three branches of government to discuss the FTC’s use of Section 5 in antitrust and consumer protection enforcement actions. The Section 5 Symposium will be held in Washington, DC, and will also be webcast. Symposium topics include the origins, past and present use and future parameters of Section 5 as an enforcement vehicle, and it will feature FTC Commissioners Joshua Wright and Maureen Ohlhausen. Other panelists include The Hons. Douglas Ginsburg, William Kovacic and Terry Calvani and the FTC’s Jessica Rich. [Full Story]

US – DoE Releases Model Terms of Service, Training Video

The Department of Education’s Privacy Technical Assistance Center released a “Model Terms of Service” document to assist school districts in complying with the “Requirements and Best Practices“ document the department released in February 2014. It contains, significantly, a table of definitions that “cannot or should not be included in TOS” by education technology providers. Concurrently, the department released a video for schools and districts to use on in-service days and in other training environments to educate educators about privacy issues and their responsibilities with student data. [Full Story]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

WW – Silent Circle Set for “World’s First” Privacy Ecosystem

Privacy-enhancing technology provider Silent Circle is set to unveil the “world’s first privacy ecosystem” together with new devices, software and services at the upcoming Mobile World Congress in Spain. Silent Circle has raised nearly $50 million in a funding round, noting there’s a “strong demand” to keep communications private. Cofounder and Executive Chairman Mike Janke said Silent Circle has “created an integrated suite of secure enterprise communication products that are challenging the status quo.” Silent Circle President and CEO Bill Conner said, “As the nature and volume of data breaches increase, institutional trust is eroding … In short, in a post-Sony and Gemalto world, security breaches have been made both enterprise and personal so it’s no longer an issue affecting just the boardroom.” [ZDNet]

US – CDD Says Call for Drone Multi-stakeholder Approach Misguided

Privacy advocacy group the Center for Digital Democracy (CDD) does not agree with President Barack Obama’s call for a multi-stakeholder approach for developing privacy codes of conduct for drone use. CDD Executive Director Jeffrey Chester said the multi-stakeholder approach “is practically a guarantee that either no rules will ever be written or, if they are, will favor the ubiquitous and always advancing big data-driven collection system already in place (across our devices, applications, etc.).” The National Telecommunications& Information Administration (NTIA) disagreed with Chester’s assessment. “NTIA’s multi-stakeholder meetings are open to anyone who wants to participate, and we encourage participation from a broad range of stakeholders including civil society,” an NTIA spokeswoman said. [Multichannel News]


WW – Physical Cookies Aim to Replicate Cookies, Eliminate Privacy Woes

A plastic RFID device called a “Physical Cookie” works just like online cookies, studying shoppers’ preferences and tailoring deals and messages accordingly. A mall in Finland recently offered targeted deals to shoppers who agreed to carry the “cookie.” Instead of logging users’ histories, though, Physical Cookies just looks at the time spent during mall shopping. Meanwhile, another tool called the Rately Merchant Platform “addresses privacy problems by not creating them in the first place,” Forbes reports . It allows consumers to opt in when visiting a website, tag items they’re interested in and, if they allow it, see promos based on those tags. But retailers don’t get data on the anonymized personas or see which in-browser notifications get clicked on. [Mashable]


US – NIST Budget Could Reach $1.1 Billion

The National Institute of Standards and Technology (NIST) could see a boost in its annual funding if President Barack Obama’s proposed budget is passed by Congress, Capital News Service reports. NIST could stand to gain an additional $225.8 million—for funding totaling $1.1 billion—if the budget is passed. The cybersecurity portion of NIST’s budget would gain an additional $7 million. Earlier this month, Rep. Elijah Cummings (D-MD) said, “Congress and the Executive Branch must do all we can to mitigate risks at federal agencies and ensure that American consumers are protected when they provide their personal information to private companies.” [Full Story]

WW – HP’s 2015 Cyber Risk Report Says Companies Not Patching Properly

Hewlett-Packard’s 2015 Cyber Risk Report, released on February 23, found that nearly 45% of breaches could be attributed to vulnerabilities for which patches have been available for two or more years. Of those unpatched flaws, server misconfigurations topped the list. [eWeek] [SC Magazine]

US – Teen Makes $15 Device, Hacks Connected Car

A 14-year-old has built an electronic remote communications device capable of connecting to and controlling a vehicle’s internal computer network by using $15 worth of parts. A number of automotive executives expressed their surprise at a Center for Automotive Research conference last week. The teen, along with 30 others ranging from high school students to PhD candidates, were taking part in the third annual Battelle CyberAuto Challenge. Though the event happened last summer, a recent report on the security vulnerabilities of connected cars by Sen. Edward Markey (D-MA) has brought the issue back into the spotlight. Delphi Automotive Chief Technologist Andrew Brown, Jr., said the hack “was mind-blowing.” The lead scientist for the auto challenge said the event intends to keep the auto industry “on its toes.” [PCWorld]

US – NIST’s Risk Management for Replication Devices

The US National Institute of Standards and Technology (NIST) has released an internal report titled Risk Management for Replication Devices, which include copiers, printers, and scanners. Among the issues that need to be addressed are unchanged default passwords, data that are stored and transmitted without encryption, and unpatched or outdated operating systems and firmware. [GCN]

US – ‘Breakthrough’ NSA Spyware Shows Deep Grasp of Makers’ Hard Drives

‘All-powerful’ spyware on hard drives an unprecedented technique, experts say. The U.S. National Security Agency reportedly figured out how to conceal spyware in hard drives years ago, according to former operatives, who say a new Kaspersky Lab cybersecurity report analyzing the espionage operation is correct. Tom Keenan, a cybersecurity expert and fellow at the Canadian Defence and Foreign Affairs Institute, explains that malware hidden on firmware would be nearly impossible to detect. “There’s no anti-virus program, no software that can protect you from someone who’s going to attack your firmware because all those programs have to talk to the firmware, and the firmware is doing what it pleases” [CBC] [Russian Researchers Expose Breakthrough in U.S. Spying Program]


WW – Google: FBI’s Expanded Surveillance Plan Seriously Violates Constitution

Google is warning that the government’s quiet plan to expand the FBI’s authority to remotely access computer files is a “monumental constitutional concern.” Google submitted public comments earlier this week opposing a Justice Department proposal that would grant judges more leeway in how they can approve search warrants for electronic data, the report states. Google’s director for law enforcement and information security, Richard Salgado, said the plan “raises a number of monumental and highly complex constitutional, legal and geopolitical concerns that should be left to Congress to decide.” [National Journal]

US – TSA Rethinking Expanding Commercial Data-Mining Program

The Transportation Security Administration (TSA) is reassessing an expansion of its PreCheck program that would mine commercial data to analyze travelers. On February 7, the TSA “rescinded a December request for proposals asking vendors for solutions that would expand the PreCheck passenger screening program to collect publicly available and commercial data on potential participants,” the report states. Critics say such a process would do more than expand PreCheck, putting private companies “in charge of determining who poses a security threat to the traveling public.” The Center for Democracy & Technology’s Chris Calabrese said there’s no science indicating it’s even possible to data-mine to pick out terrorists. [Federal Times]

US – Jeb Bush Backs NSA’s Bulk Collection of Phone Data

Former Florida Governor and potential presidential candidate Jeb Bush has said he supports the U.S. NSA’s program that collects in bulk the phone metadata of U.S. citizens. “This is a hugely important program to use these technologies to keep us safe,” he said on Wednesday. “For the life of me, I don’t understand (how) the debate has gotten off track,” noting that following the program’s rules does “protect our civil liberties.” Bush’s stance on the controversial program is at odds with two other potential Republican presidential candidates, Sens. Rand Paul (R-KY) and Ted Cruz (R-TX). Bush made privacy news last week after he released a trove of unredacted emails while serving as governor from 1999 to 2007. [The Hill]

Telecom / TV

CN – China Removes Tech Companies from Approved for Government Use List

China has taken several high-profile US technology companies off its list of products approved for use by Chinese government agencies. The recently removed companies include Cisco, Apple, McAfee, and Citrix. The policy is seen as an attempt to boost Chinese use of its domestic technology, such as Huawei and ZTE. [BBC]

US – FCC Passes Net Neutrality Rules

The US FCC has passed net neutrality rules, which include reclassifying broadband as a telecommunications service; prohibiting broadband providers from throttling or speeding up connections for a fee; and prohibiting providers from making paid prioritization deals. The US Telecommunications Industry Association said to expect legal action from broadband providers. One of the demands from the Chinese government was for tech companies to surrender their encryption keys and subject their source code for inspection. [CS Monitor] [SC Magazine] [BBC]

WW – Malware Can Track Smartphones by Power Use

Researchers from Stanford University have discovered a vulnerability that would allow smartphone location tracking by how the phone’s power is used. Yan Michalevsky and a team said, “Our approach enables known route identification, real-time tracking and identification of a new route by only analyzing the phone’s power consumption.” A phone’s power usage depends on how far away it is from a base station. As a user moves, that power use changes in relation to a base station. The team’s work , the report states, demonstrates how easily privacy can be undermined and serves as “a warning that whatever steps are taken to protect personal data, there will always be ways that it can leak unexpectedly.” [MIT Technology Review]

US – ACLU Obtains Warrant Revealing FBI Knew Stingray Disrupted Devices

The US Justice Department has maintained that the secrecy surrounding stingray cell phone surveillance technology was necessary to prevent criminals from figuring out how to elude its reach. However, the American Civil Liberties Union (ACLU) recently obtained a warrant application for stingray use and found that the FBI has knows that stingrays can disrupt cellular service for all phones and mobile devices in the vicinity of the targeted device that use the same network. [WIRED] [WIRED] See also: [Senator Questions Stingray Use]

US – Advocates Hope Net Neutrality Will Be Privacy Win

The FCC made history on Thursday by classifying ISPs as public utilities. The vote was aimed at ensuring net neutrality, but the reclassification means the FCC will now have more oversight of privacy practices of ISPs, and privacy advocates say it also probably means better protections for consumers because it means ISPs “will now have to abide by a specific set of rules designed to protect the privacy of communications.” [The Washington Post]

UK – Parliament Wants Government to Classify Broadband as Utility

In a report titled Make or Break: The UK’s Digital Future, members of the UK’s House of Lords call on the government to reclassify Internet access as a public utility, ensuring that it is available to all citizens. The report also notes that the UK is lagging behind other countries with regard to high-speed Internet access, which could have a negative effect on the country’s international competitiveness. [Silicon Republic] [Ars Technica] [UK Parliament]

US Legislation

US – White House Privacy Bill Met With Criticism from All Sides

The White House released what it’s calling a “discussion draft“ of its Consumer Privacy Bill of Rights (CPBR) to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.” Though the highly anticipated CPBR did receive some support, for the most part industry, lawmakers, regulators and privacy advocates all expressed concerns with the legislation. [Full Story]

US – Obama’s Personal Data Notification & Protection Act

The proposed legislation’s ultimate success likely will turn on whether both sides can reach agreement on a middle ground and recognize that neither businesses nor privacy advocates will be able to cherry-pick all of their favorite provisions from existing state laws and earlier federal proposals. The following is a brief analysis of the proposed bill’s key provisions. [Mondaq]

US – California May Limit Law Enforcement’s Warrantless Data Collection

SB 178, known as the Electronic Communications Privacy Act (or CalECPA, for short), curtails California’s law enforcement agencies ability to compel companies providing “electronic communications services” from producing “electronic communication information” without a warrant, a wiretap order, or a showing of exigent circumstances. It also limits law enforcements’ ability to conduct warrantless searches of mobile devices. [Source]

US – California Lawmakers Consider Drone Privacy Bill

Jackson has introduced SB 142, which she said would protect people from aerial invasions of privacy. “If you were to jump over your neighbor’s fence and stand in their yard recording what they had to say, that’s a trespass,” she said. “Why should it be any different with a drone?” [Legislation would apply trespass rules to the air]

US – Missouri Bill Would Keep Most Police Camera Footage from Public View

Taxpayers deserve to know how the police officers they fund behave. Yet Libla’s proposed legislation would make it prohibitively difficult for members of the public to view footage of police officers doing their job. Under Libla’s proposal, footage of serious police misconduct could be released by court order during an investigation. However, if implemented, the legislation would mean that in cases in which a victim of police abuse or misconduct is unwilling or unable to sue or press criminal charges, the relevant body camera footage would not be made public. Suing the government is an expensive and time-consuming endeavor with no guarantee of success. Many people who live paycheck to paycheck simply cannot afford a lawyer’s retainer for several thousand dollars to just get into the courtroom to ask for the video to be released. [Source]

US – Other Legislative News:

  1. Sens. Edward Markey (D-MA), Richard Blumenthal (D-CT), Sheldon Whitehouse (D-RI) and Al Franken (D-MN) have reintroduced the Data Broker Accountability and Transparency Act, which would allow consumers “to order the companies to stop using, sharing or selling data about them for marketing purposes.” [The Hill]
  2. The Christian Science Monitor’s Passcode offers an overview of new U.S. senators’ privacy stances going into the elections and how their commitment is shaping up now that they’re in office.
  3. Sen. Bob Menendez (D-NJ) and others are pushing a bill proposed last May that would “create a nationwide standard for data security and require companies to tell customers about data breaches within 60 days [The Jersey Journal]
  4. Indiana Attorney General Greg Zoeller met with the Federal Communications Commission to convince the agency to deny requests made by finance industry groups to weaken the Telephone Consumer Protection Act [WISHTV]
  5. JDSupra: drone bills in California and Florida.
  6. KFBK: a package of 10 privacy bills introduced, or soon to be, in the California legislature targeting connected cars, drones, infant DNA and more.
  7. Two bills in front of the Illinois Senate aim to put restrictions on the use of automated license-plate reader systems [The Tenther]
  8. New Hampshire’s House will vote on a student privacy bill this week that would prohibit schools from demanding access to students’ online accounts [NHPR]
  9. Oregon Attorney General Ellen Rosenblum has introduced the Oregon Student Information Protection Act, aiming to protect students’ personal and academic data while enabling innovation and research [Common Sense Media]
  10. The executive director of the ACLU of Virginia tells WDBJ about the Virginia General Assembly session that included a Stingray bill, a drone bill and a license-plate reader bill.
  11. A Virginia bill that started off requiring officials at state colleges and universities to notify parents when a student exhibits suicidal tendencies or behavior has passed with significant changes due to privacy concerns, among others. [The Daily Progress]
  12. Sen. Edward Markey (D-MA) and Rep. Peter Welch (D-VT) have proposed the Drone Aircraft Privacy and Transparency Act to protect individuals’ privacy in light of the expanded use of drones.
  13. The Arizona House approved a revised version of its “revenge porn” bill, but civil liberties advocates who sued to block the law said the changes don’t allay their concerns about the legislation. [Arizona Daily Star]
  14. The Arkansas House has passed a bill that would require employees of organizations that serve youth to “friend” their employers [The Huffington Post]
  15. California Sen. Mark Leno (D-San Francisco) introduced SB 576 that would require vendors to explain to consumers their location information practices upon installing a new app. [THE Journal]
  16. The Colorado Senate Education Committee unanimously approved a bill preventing the sharing or selling of personally identifiably student data by software, database and app companies, but added an amendment that may complicate the disclosure requirements. [Chalkbeat]
  17. The Colorado House Judiciary Committee has delayed a vote on a drone bill over concerns of how to prevent penalizing individuals for everyday photography [Associated Press]
  18. An Iowa Senate subcommittee has voted in support of a bill that includes provisions that would block the public from accessing gun permit-holders’ names. [WQAD]
  19. Missouri Rep. Diane Franklin (R-District 123) has introduced a bill that would require childcare centers to notify parents upon request of children in their care who haven’t been vaccinated. [HealthIT Security]
  20. Michigan’s House has delayed a bill that would require mobile phone providers to disclose to police without a warrant the location of a user that is believed to be in danger of harm. [MLive]
  21. New York Assemblyman Ed Braunstein (D-Queens) has proposed legislation that would make it a felony to film patients receiving medical treatment without prior consent. [ProPublica]
  22. Rhode Island is considering restricting government use of drones. [The Tenther]
  23. Texas Sen. Craig Estes (R-Wichita Falls) filed a bill to protect individuals’ location information from warrantless search and seizure. [Mineral Wells Index]
  24. A Utah House committee has approved a bill to restrict the collection and retention of student data by Utah schools. [The Salt Lake Tribune]


01-15 February 2015


WW – Facebook Rolls Out New Facial Recognition Technology

Facebook is rolling out a new facial recognition technology called “DeepFace,” which was developed for Facebook by an Israeli company it acquired in 2012. The technology can recognize a human face in a new photo by comparing it with a previously uploaded photo with 97.25% accuracy. The company tested the technology by having it match tagged photos with a database of more than four million images representing more than 4,000 different people. DeepFace is only available to some users thus far, and Facebook is allowing users to opt out if they wish by changing their privacy settings. [MediaPost] See also: [Biometric Update reports market research firm Goode Intelligence has published a whitepaper entitled The Impact of Privacy and Data Protection Legislation on Biometric Authentication].

US – Millions of DNA Samples Stored In Warehouse Worry Privacy Advocates

Privacy advocates are calling for more safeguards related to a state collection of DNA samples from 16 million Californians in a nondescript government warehouse in the Bay Area. The biobank holds blood taken with the prick of a heel from almost every baby born in California for the last three decades. It is used to screen for 80 health disorders, such as cystic fibrosis and sickle cell anemia. Unlike most states, California keeps the frozen samples indefinitely and shares them with genetic researchers, for a fee. State officials say the samples are secure and are used to save lives. But the privacy advocates and an influential state lawmaker, concerned about the potential misuse of DNA information, say parents and donors should have a clear choice about whether the state can keep theirs. [LA Times]

UK – 100 X Thousands of ‘Innocent People’ in Cop Photos Database

They include photos of [“hundreds of thousands” of] people never charged, or others cleared of an offence, and were uploaded without Home Office approval. Biometrics Commissioner Alastair MacGregor QC said he was concerned about the implications of the system for privacy and civil liberties. Speaking in his first interview, he said that police forces had begun setting up a searchable database of police mugshots last year, without telling either him or the Home Office. Almost every police force in England and Wales had now supplied photographs, he said. [‘Innocent people’ on police photos database]

Big Data

US – Podesta Shares Privacy Progress Report

John Podesta looks at big data and privacy in The White House Blog. “Today, we’re releasing an interim progress report detailing the progress we have made—and what we still have ahead,” he writes, discussing the commitment President Barack Obama has made “to ensure that student educational data is used only for educational purposes” and the administration’s work “with a bipartisan group of legislators “ that plans to introduce “legislation to fulfill that promise.” Podesta also discusses price discrimination and consumer protection. “Big data will continue to contribute to and shape our society, and the Obama administration will continue working to ensure that government and civil society strive to harness the power of these technologies while protecting privacy and preventing harmful outcomes,” he writes. [Full Story]

US – White House Releases Report on Differential Pricing

The Obama administration has released a 22-page report on big data and the issues around so-called price discrimination. “One of the many questions raised by big data is whether companies will use the information they harvest to more effectively charge different prices to different customers, a practice that economists call price discrimination,” the report states. The confluence of big data analysis and price differentiation has raised concerns, and “many companies already use big data for targeted marketing, and some are experimenting with personalized pricing,” the report states. It suggests many concerns “can be addressed by enforcing existing antidiscrimination, privacy and consumer protection laws” and calls for increased transparency on how consumer data is used and shared. [Full Story]

US – The Big Data Picture – Just How Anonymous Are “Anonymous” Records?

It’s vague enough that when the authors knew the details of any four transactions you’d made during the three month data period, as, for example, would any shop that you had visited four times, they had a chance lower than 15% of guessing which anonymous tag in the file was yours. But with 10 known transactions, something you might easily rack up with multiple retailers due to daily habits at at a coffee shop, a parking lot, or a newsagent, their chance of pinpointing you rose above 80%. Loosely speaking, the anonymous data they had access to, even when coarsened astonishingly, turned out to be not-so-anonymous after all. [Naked Security]

US – FTC Asked to Investigate Big Data Acquisitions

The Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and Public Citizen said last week the FTC should launch an investigation into the growing consolidation of big data analytics firms and digital marketing companies. The groups are concerned about a “recent spate of acquisitions in the big data and digital marketing industries,” the report states. In a letter to FTC Chairwoman Edith Ramirez, the groups wrote about companies “amassing vast holdings of the key element that drives much of online commerce”-information about consumers. The groups are particularly concerned about Oracle’s recent acquisition of data broker Datalogix, the report states. [PCWorld] [IAPP VP of Research and Education Omer Tene writes that a speech Federal Trade Commission Bureau of Consumer Protection Director Jessica Rich gave last week “maps out the state of play at the intersection of technology, law and policy”]

WW – Big Data And Insurance: Should There Be A Code Of Practice?

Association of British Insurers (ABI) chairman Paul Evans called on the insurance industry to “anticipate regulators” and develop its own big data code of practice in a recent interview with the Financial Times, which makes a lot of sense. So what are the issues that a code might cover? We can all imagine privacy and data protection issues, but the use of big data in insurance touches on a number of other important legal issues. [Source]

US – Palantir Buys Start-Up, Adds Retail Analytics

Palantir, which is known for its data analytics platform and is used in law enforcement, financial research, healthcare and other areas, can now “add retail and shopping data to the mix” with its purchase of start-up Fancy That. Fancy That “has built a platform to help retailers with their omnichannel strategies across physical stores, online, mobile and other platforms where they sell goods and communicate with customers,” the report states, noting Fancy That “incorporates elements of machine learning, mobile, and sensor technologies into its services. It works on both software and hardware technologies.” The terms of the Fancy That deal have not been disclosed. [TechCrunch]


CA – Bill C-51: The Anti-Terrorism Act, 2015

The federal Conservative Government introduced a sweeping anti-terrorism bill (Bill C-51, the Anti-terrorism Act, 2015). Much of the media attention on Bill C-51 has rightly focused on the creation of a new criminal offence of knowingly advocating or promoting the commission of terrorism offences and the new judicial power to remove terrorist propaganda from websites using Canadian Internet service providers. These have significant implications for freedom of expression. However, this multi-part review of the privacy implications of Bill C-51 begins with the new Security of Canada Information Sharing Act, self-declared purpose is “to encourage and facilitate the sharing of information among Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada” (s. 3). [Source]

CA – Canada’s New Anti-Terror Bill C-51 Concerns Privacy Commissioner

Privacy Commissioner Daniel Therrien says he is concerned that the government’s new anti-terror bill does not respect the privacy rights of Canadians. Bill C-51 proposes to lower the threshold of what’s required for police to make an arrest in a terror case. Previously an arrest could be made only if a terror act “will be” carried out, but C-51 would allow police to arrest a suspect if an attack “may be” about to happen. It would also broadly expand the powers of Canada’s spy agency, CSIS, to “counter-message” or “disrupt” terrorist websites, Twitter accounts and the like. “This Act would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats,” Therrien said. “ It is not clear that this would be a proportional measure that respects the privacy rights of Canadians.” [Toronto Sun] [Full Story] [Statement from the Privacy Commissioner of Canada following the tabling of Bill C-51] [CBC: Bill C-51 aims to ‘remove terrorist propaganda’ from internet and [Anti-terrorism powers: What’s in the legislation?] [PM Harper admits proposed anti-terror law would not have stopped Ottawa attack] [Canada’s New Anti-Terror Bill Gives the Government Sweeping New Powers] [Additional oversight for security agencies just ‘needless red tape’: Government] [Former CSIS officer warns new federal anti-terror bill will ‘lead to lawsuits, embarrassment’] [It’s easy to imagine Bill C-51 actually undermining Canada’s anti-terrorism strategy] [Barbara McIsaac: Bill C-51 and the Sharing of Personal Information]

CA – CSIS’s New Powers: How the New Legislation Will Affect Security Agencies

The federal government has unveiled security legislation. Here’s a breakdown of what the new powers will allow and how the legislation will affect Canada’s spy and security services.

NEW POWERS: Canada’s spy service would become an agency that actively tries to derail terror plots at home and abroad – not just one that collects intelligence and hands it off to the RCMP.

NEW OFFENCES: The bill would give authorities the power to order the removal of “terrorist propaganda” from websites. It would also create a new criminal offence of encouraging someone to carry out a terrorist attack.

LOWER THRESHOLDS: Authorities could apply to a court if they believe terrorist activity “may be carried out.” The previous threshold called on authorities to state they believed an act “will be carried out.”

LONGER DETENTION: The bill extends the length of time authorities can detain suspected terrorists for up to seven days from three and expands the no-fly regime to cover those travelling by air to take part in terrorist activities.

INFORMATION SHARING: The bill grants government departments explicit authority to share private information, including passport applications or confidential commercial data, with law-enforcement agencies. [Globe & Mail] [Editorial: Worrying new powers for CSIS]

CA – Ed: Why Is The Opposition Silent On The Terror Bill?

Why is the opposition silent on the government’s anti-terror bill? This is a complex, far-reaching piece of legislation with serious implications for good and ill, one that deserves the most searching democratic scrutiny. All the more surprising, then, that Canada’s two main opposition parties have had so little to say about it. Apart from arguing in favour of increased oversight — preferably by a parliamentary committee — neither New Democratic Party leader Thomas Mulcair nor Liberal leader Justin Trudeau have addressed the content of the legislation in any detail. [National Post]:

CA – BC IPC: Federal Terror Bill A “Privacy Game-Changer”

“This kind of broad sharing of information is a privacy game-changer and it’s not clear as to whose information we’ll share with national security agencies, for what specific purposes and whether there are any safeguards in place,” Elizabeth Denham told Thompson Rivers University law students Wednesday afternoon. “We need to watch the watchers,” Denham said. [Source]

CA – Anti-Terrorism Bill Will Unleash CSIS on a Lot More than Terrorists

Liberal Leader Justin Trudeau has announced his party will support the government’s new anti-terrorism bill and sort out any vexing details later on. That’s a bit like buying a bull because you hope its excrement can be sold as perfume. The NDP – the Official Opposition – actually intends to do its job and oppose the legislation. Here are some questions to help it along: [Globe & Mail]

CA – Tories Defend Expanded Powers of CSIS Amid Calls for Greater Oversight

Ottawa is rejecting calls for parliamentary oversight of the nation’s spies, dismissing such increased scrutiny as “needless red tape.” Conservatives defended their controversial new anti-terrorism legislation, which has faced criticism for massively expanding the powers of the CSIS without added public oversight. Public Safety Minister Steven Blaney argued the Security Intelligence Review Committee, a five-member body that investigates complaints against CSIS, is enough. “We can be very proud of what they are doing,” he said about SIRC on CTV’s Question Period. “Anything additional would be just duplication.” The anti-terrorism legislation would give CSIS the right to disrupt terrorist activity, such as by pulling suspected terrorists off planes or messing with their bank accounts. A judge would have to sign off on such actions ahead of time. The legislation would also make it easier to arrest people for promoting terrorism. Critics say there are not enough checks on these new powers. “What is absolutely missing in this legislation is oversight, oversight, oversight,” Liberal MP Wayne Easter, a former solicitor-general, said on Question Period. “That’s what’s needed for two things. One: to ensure that the new powers in this new legislation that agencies will be granted will not infringe on the privacy rights of Canadians. Two: to ensure that the agencies are using their powers within the law.” Tory MP Roxanne James hit back. “We are not interested in creating needless red tape.” [The Globe and Mail]

CA – Supreme Court to Hear Dispute Over CSIS Powers to Spy on Canadians

The case pits CSIS against the Federal Court of Canada in a confrontation over whether the court has the authority to approve CSIS warrant applications to electronically spy on Canadians overseas. The federal court insists it has no such power. CSIS and the government argue it does. The competing positions are layered in complex legal arguments laid out in secret courtroom hearings. [Source]

CA – Edward Snowden Right to Urge Caution on Anti-Terror Measures: Editorial

Whistleblower and international fugitive Edward Snowden is right in urging Canadians to be extraordinarily cautious regarding Ottawa’s new Anti-Terrorism Act. Prime Minister Stephen Harper is right to be concerned about terrorist activities, and it’s vital that agencies protecting Canadians from such threats be adequately empowered. But so far, the government has not made a convincing case that its proposed new law would have stopped the earlier attacks, or would prevent future ones. [Source] [Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise ]

CA – Walkom: Craven Opposition Letting Terror Bill Sail Through

The Liberals and NDP are afraid to criticize the substance of Bill C-51. Too bad. There is a lot they could say. …the Canadian Civil Liberties Association asked the most trenchant question: Why are these extraordinary new security powers needed? “There are still no answers as to why our existing laws and powers didn’t work — or if they didn’t work,” CCLA executive director Sukanya Pillay wrote. She also pointed out that criminalizing something as vague as the advocacy of terrorism could have a chilling effect on academics and journalists. The British Columbia Civil Liberties Association has gone even further, saying that Bill C-51 would create “an unprecedented expansion of powers that will harm innocent Canadians and not increase public safety.” [Weak-kneed opposition lets Conservative terror bill sail through: Walkom] [CA – Elizabeth May Condemns Bill C-51, Saying It Would Create A Secret Police Force]

CA – Inside the Orwellian Launch of Tories’ Anti-Terrorism Act

During the question-and-answer period, reporters asked how the government would decide who is supporting terrorism. Stephen Maher from Postmedia asked if someone would be breaking the law if they posted material encouraging attacks by Ukrainian militants on Russian targets in Crimea. The row of bureaucrats at the front of the room said they wouldn’t speculate on hypothetical situations. Many answers seemed scripted to the point where one reporter asked if they were just reading parts of the backgrounder as their answers. The staffer replied that they weren’t. [Locked up reporters, denied a look at the bill, revolt] [How terrorists succeeded in making us go bonkers ] [Bill C-51: Harper’s Attempt to ‘Arrest His Way out of Terrorism’ ]

CA – The Fiasco of Bill C-51

But the first thing to get out of the way about Bill C-51 is that the proposed law is not just about terrorism. It’s also about securing to the government a fairly sweeping range of national-security and police powers to target activity that “undermines the security of Canada” by interfering with federal capabilities in relation to the country’s “economic or financial stability.” This doesn’t make things any more reassuring, mind you. The government’s recent record on that front isn’t exactly unblemished. [Ottawa Citizen] [Fighting Terror: Privacy vs. Security]

CA – Bill C-51 Has Troubling to Civil Liberties Issues for Air Travelers

Bill C-51 would enact the Secure Air Travel Act. This legislation would amend Canada’s approach to its “do-not-fly” list under what is known as the “Passenger Protect Program”. …there are a number of features that are likely to be troubling to civil liberties advocates. In particular, the lowered threshold and expanded grounds for being placed on the “Specified Persons List” which functions as Canada’s “do-not-fly” list are likely to be of concern given the potential sharing of information with foreign governments. It is expected that advocacy groups may be concerned that this information sharing, combined with lower thresholds and expanded grounds, could increase the risk of the detention of Canadians abroad merely on “suspicion” of knowingly contributing to terrorist activities. [Canada’s Proposed Secure Air Travel Act]

CA – Mere Oversight Won’t Fix Tory Surveillance Bill: Geist

Bill C-51’s potential to harm privacy and civil liberties requires a detailed, non-partisan review. Bill C-51 appears to allow Canada’s spy agency “to effectively ignore any law (domestic or otherwise), and do whatever is deemed necessary to counter activities that extend far beyond just terrorism.” [Star] [Anti-terrorism legislation requires vigilance: Editorial]

CA – Secrecy Shrouds Ottawa’s Information-Sharing Deal With Five Eyes Allies

A veil of secrecy has dropped around a series of immigration information-sharing agreements between Canada and its “Five Eyes” allies. The federal privacy commissioner’s office said it has raised concerns with the department about unauthorized use, disclosure of transfer of information that goes beyond Canada’s borders, both under the deal with the U.S. and the five-country information sharing initiative. Anne-Marie Hayden, a spokeswoman for Privacy Commissioner Daniel Therrien, said the office has advised the department that “refugee claimants are a particularly vulnerable group and information sharing should continue to be done on a limited, case-by-case basis. Sharing of this sensitive information should be undertaken with caution and under strict safeguards and protocols.” [The Star] [How Canada compares to ‘Five Eyes’ members in intelligence oversight : Canada is the only member of the “Five Eyes” intelligence-sharing alliance that does not have legislative oversight of its security agencies].

CA – MacKay Once Backed Intelligence Oversight Now Rejected by Tories

As deputy leader of the Conservative Party in 2005, Mr. MacKay argued forcefully for giving MPs and senators a role in overseeing Canadian spies. “When you talk about a credible oversight body, I would suggest … that a parliamentary body is going to have more credibility because of its independence and because of the fact that there is also parliamentary accountability that will be brought to bear,” Mr. MacKay said in October of that year. “To that end, I suggest that it would also cause a little bit more diligence on the part of the security agents themselves, just knowing that this oversight body was in place.” [Globe & Mail]

CA – Canada Revenue Agency Can Now Provide Police With Evidence of Crimes

The Canada Revenue Agency gained the little-noticed new authority, which does not require a judicial warrant, through an amendment tucked into the government’s most recent omnibus budget bill. Previously, confidentiality provisions in the law prevented the agency from handing information about suspected wrongdoing, on its own initiative, to law enforcement. The exception was information that pointed to tax-related crimes. The new provisions apply to offences including breaking and entering, vehicle theft, arson, corruption and kidnapping. They also allow authorities to pass along information about any offence with a minimum prison term, or one with a maximum sentence of 14 years. [Source]

CA – 80% of Canadians Will Choose A Business on Its Privacy Reputation: Survey

According to a new survey nine in 10 Canadians are concerned about privacy — including 34% who say they are extremely concerned. That’s according to a new poll released by the federal privacy commissioner to mark Data Privacy Day. The number who said they are extremely concerned is up almost 10% from the survey done in in 2012.

  • Almost eight in 10 people surveyed (78%) have become less willing to share their personal information with organizations in the wake of media stories about sensitive information being lost, stolen or made public;
  • Eight in 10 (81%) are more likely to choose to do business with a company specifically because it has a good reputation for privacy practices.

The privacy commission’s survey also found

  • A significant majority (78%) expressed concern about how personal information about them online might be used in the context of government surveillance;
  • More than half of Canadians (57%) said they were “not comfortable” with government departments and agencies requesting personal information from telecommunications companies without a warrant;
  • Canadians expressed particular concern about what might happen to the personal information stored on a mobile device if it was lost or stolen, with nearly half (49%) saying they were extremely concerned;
  • Nearly 30% of respondents said they had been negatively affected by a breach. Most felt it is at least somewhat likely that their privacy may be breached by someone using their credit or debit card (78%), stealing their identity (78%), or accessing personal information stored on their computer or mobile device (74%).

Roughly half of Canadians said they don’t have a good understanding of what businesses and government will do with their personal information. [IT World] [Privacy survey is a wakeup call for CIOs ]

CA – Saanich Disables Covert Monitoring Software at Municipal Hall

Privacy commissioner Elizabeth Denham launched an investigation last month after newly elected Mayor Richard Atwell alleged that spyware had been installed on his work computer without his consent. Denham, acting on her own, said her investigation will examine whether the district’s use of employee-monitoring software complies with the Freedom of Information and Protection of Privacy Act. She expects to finish her review by the end of March and make her findings public. Laidlaw [Saanich Chief Administrative Officer] said Saanich may revisit the issue after Denham reports. [Times-Colonist]

CA – Watchdog cum Lobbyist Loukidelis Now Acts for Vancouver Publisher.

Once paid to ensure that the privacy of British Columbians was protected, Loukidelis is now lobbying the government to amend provincial rules to permit digital information about British Columbia high school students to be sent to China. The Vancouver publisher has printed yearbooks in China since 2007 and is seeking a ministerial directive to allow it to continue to send student information — including names, photographs and year of study — overseas on a temporary basis. [Source]


WW – Poll Exposes Drone Opinions

In a new Reuters/Ipsos online poll, 73% of respondents said they “want regulations” on privately owned drones. Reuters reports various concerns from respondents, including being “uneasy about potential invasions of privacy by drones carrying cameras or other devices.” The report also found 42% of respondents opposed “private ownership of drones, suggesting they prefer restricting them to officials or experts trained in safe operation.”. [Full Story]

US – AT&T Lets Users Opt Out of Tracking, But With a Price

AT&T’s gigabit fiber-to-the-home service telecom charges customers based on their privacy preferences. The GigaPower service is the same price as Google Fiber, but users who do not want their web browsing activity tracked must pay an additional $29 per month. AT&T says it tracks “the webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter… AT&T Internet Preferences works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing. If you opt-in to AT&T Internet Preferences, AT&T will still be able to collect and use your web browsing information independent of those settings.” [Ars Technica]

US – ADL Says RTBF “Has No Place in the U.S.”

In a blog post, the Anti-Defamation League (ADL) says it supports a decision made by Google’s Advisory Council that right-to-be-forgotten takedown requests should only be honored in the EU. The ADL reiterated its own policy position from last November, stating that “individuals should not have the right to have links to old and/or embarrassing information about themselves removed from Internet search results.” They explain, “Doing so is tantamount to taking a scalpel to library books, allowing people to tear from public record things about themselves from the past that they simply do not like.” For example, it could allow “a white suprema­cist to erase all traces of his history of bigoted rhetoric before running for public office, denying the pub­lic access to make a fully informed decision.” [Full Story]

US – Researcher: Some Pledge-Signers Still Vulnerable

A security researcher has found several companies that have signed the Student Privacy Pledge do not use basic data security, The New York Times reports. Of the 60 or so companies that have currently signed the pledge, approximately 20 percent of them did not use Secure Socket Layer encryption during the log-in process for students, parents and teachers. Though there is no evidence the weak security has allowed any breaches, the vulnerabilities could easily be exploited, the report states. Company executives confirmed the log-ins aren’t currently encrypted and said “they had been caught in the process of updating their security measures,” the report states. [Full Story]


US – Considering Legislation to Let Non-Americans Seek Judicial Redress

The U.S. intelligence community and its EU counterparts are negotiating legislation that would enable non-Americans to “seek judicial redress for intentional or willful disclosures of protected information,” citing comments by Robert Litt, general counsel for the U.S. Office of the Director of National Intelligence, during a discussion at the Brookings Institution on Wednesday. “We are working on legislation right now,” Litt said. “We’ve been discussing this with representatives of the EU as well.” [Sputnik]

US – FTC Joins Agencies Adding Security Layer to Consumer Sites

The Federal Trade Commission (FTC) has joined a number of other federal agencies in deploying additional security best practices for public consumer websites, and The websites have enabled a feature called HTTP Strict Transport Security (HSTS), which hardcodes all future communications to be encrypted by default so when visitors attempt to visit the sites, HSTS-enabled browsers will automatically encrypt the connection with any additional instruction from the website, reducing the potential for an attacker to impersonate an FTC website when connecting from open WiFi hotpots or insecure networks, the FTC’s blog reports. [Full Story]

WW – Report Highlights UK Public Sector Cloud Concerns

Nearly half of all public sector respondents to a survey on cloud computing have responded that security is their highest concern. After security, the second most worrisome elements of implementing public sector cloud-based applications were found to be the use of cloud apps sourced or commissioned without involving the IT department (12%) and managing the increasing number of cloud apps in use’ (also 12%). [Public Technology] [Canadian Treasury Board Gov’t-Wide Policy: keep cloud storage local]


US – Congress Takes Up Email Privacy Reform. Again.

Reforming the rules regarding email privacy is a mere step in the walk towards correcting the mass surveillance that the United States government executes, but it is an important piece of progress all the same. [TechCrunch]

Electronic Records

US – Medine: Section 215 Can and Should Be Shut Down

Privacy and Civil Liberties Oversight Board Chairman David Medine writes in a Lawfare post that the National Security Agency’s metadata surveillance program can and should be shut down. He notes that Section 215 of the USA PATRIOT Act should be “abandoned in favor of targeted queries to individual telephone companies based on individualized suspicion,” because it’s “not only more privacy protective but better for national security.” [Full Story]

US – Debate Heats Up Over Safety of Electronic Health Records

But Ross Koppel, a University of Pennsylvania professor who has published extensively on the topic in medical journals, called the federal government’s stance at the conference “a whitewash.” “They are systematically selecting studies and study methods that minimize the hundreds of thousands of errors related to HIT,” he said. “Of course, there was a safety problem with paper, but there are new, different and more wicked problems with HIT.” If the ability to cut and paste information from one chart to another causes it to balloon from three to 3,000 pages, physicians may not even be able to find the “nugget of needed information,” Koppel says. [Source]

US – No Encryption Standard Raises Health Care Privacy Questions

The main federal health privacy law – the Health Insurance Portability and Accountability Act, or HIPAA – encourages encryption, but doesn’t require it. The lack of a clear encryption standard undermines public confidence, some experts say, even as the government plows ahead to spread the use of computerized medical records and promote electronic information sharing among hospitals, doctors and insurers. …T the Senate Health, Education, Labor and Pensions committee said it’s planning to examine encryption requirements as part of a bipartisan review of health information security. “We will consider whether there are ways to strengthen current protections,” said Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn. [Source] [The Toronto Star: Ontario is lagging behind other health jurisdictions on the protection of patient privacy]


US – Box Hands Cloud Encryption Keys Over To Its Customers

Key management system keeps data safer from intrusion—and government demands. Box needs permission from the customer when decrypting files. “Before we can use our key, we need the customer to decrypt it inside the HSM,” the company said. “It’s a layered encryption model. So while the data itself is not encrypted with the customer’s key, the customer key is the gatekeeper for decrypting it. In effect, our key is useless until it’s decrypted by the customer.” Each time Box needs temporary access to decrypt files, “we go back to the customer to request access (by sending over the document key for decryption). Each request is captured in the logs controlled exclusively by the customer. Customers can monitor that log to see how the data is accessed and how the keys are being used, and we have no way of modifying that log.” The customer doesn’t have to manually approve each request, but anything out of the ordinary would be flagged. [Ars Technica]

WW – Developer Reveals Flaw in WhatsApp Privacy Settings

A developer from The Netherlands has revealed that WhatsApp’s privacy settings can be bypassed with a simple bit of software. The software kit, released by Maikel Zweerink, allows a user to see whether other WhatsApp users are online, even if their status is set to “private” session. His goal with the release of the software, he wrote in a blog post, is to demonstrate that the popular messaging service is “broken … in terms of privacy.” He added, “This is not a ‘hack’ or an ‘exploit,’” it is “broken by design.” [International Business Times]

WW – Email Encryption Developer Was Going Broke; Facebook, Others Chip In

The developer of one of the world’s most-used email encryption services, Werner Koch, was almost out of funds to stay in business when ProPublica published a report on the developer of Gnu Privacy Guard, a service used by investigative journalists, whistleblowers—including Edward Snowden—and dissidents. Koch “has been almost single-handedly keeping it alive with patches and updates from his home” in Germany, the report states, earning a fraction of what he could have made in private industry and falling short of paying himself and hiring a programmer. Facebook and payment provider Stripe, however, each agreed to donate $50,000 a year toward the open-sourced project; the Linux Foundation’s Core Infrastructure Initiative has provided a one-time grant of $60,000, and other donations have come in since the article was first published. [Full Story]

EU Developments

UK – GCHQ Mass Internet Surveillance Was Unlawful, IPT Rules

The Investigatory Powers Tribunal has considered unlawful the GCHQ access to information gathered by the NSA through its massive surveillance programs….The ruling would trigger massive claims against the intelligence services, principal organizations for the defense of Human Rights will request to access records related to their activities and members. On the other hand, the Intelligence agencies are already reorganizing their TTPs to continue to operate and protect their Homeland Security. [Security Affairs] See also: [EurActiv reports MEPs approved a law allowing member states “to share information on car registries”]

EU – DPAs Form Task Force Following Facebook Privacy Policy Changes

A group of European data protection authorities (DPAs) formed a task force in reaction to the latest changes to Facebook’s privacy policy. The group will be led by Belgium, The Netherlands, Germany and “perhaps” Italy, a spokesman from Belgium’s state secretary for privacy said. At issue are the company’s practice of tracking users when they are not on its site and using information from profiles for commercial purposes, the report states. Germany’s DPA has taken issue with how Facebook processes personal data, particularly between other services it already owns, such as WhatsApp and Instagram. [IDG News Service] [EU data protection authorities get serious about Facebook’s privacy policy ]

EU – Working Party Clarifies Health Data Definition in Apps

The Article 29 Working Party (WP29) has responded to a request from the European Commission made in the framework of its mHealth initiative to clarify the definition of data concerning health in lifestyle and well-being apps. The WP29 responded that it supports a broad definition of health data, distinguishing the following three categories: Data is inherently/clearly medical data; data is raw sensor data that can be used in itself or in combination with other data to make conclusions about a person’s health status or risk, or conclusions are drawn about a person’s health status or risk. The WP29 considers “explicit consent as the most likely legal ground” for processing health data. [National Law Review]

UK – ICO’s Data Protection Audit Powers Extended to Cover NHS bodies

NHS bodies in the UK can now be forced to open themselves up to data protection audits under new powers handed to the Information Commissioner’s Office (ICO). The ICO had long campaigned for the compulsory audit powers they have under the Data Protection Act to be extended to the public health sector. Previously, the ICO could only compel central government departments to participate in a data protection audit and needed the consent of other organisations to investigate their procedures. [Source] [Hackers will target online NHS medical data, warns ICO] [UK NHS authorities may be subject to compulsory audits of their data protection initiatives by the Information Commissioner’s Office]

EU – Ministers Call for More Border Checks

EU interior ministers have called for more border checks to fight terrorism in the wake of recent attacks in France and Belgium. The ministers want to change the rules governing the passport-free Schengen area to allow for “systematic checks against databases relevant to the fight against terrorism” when people enter and exit the area. Currently such checks can only be carried out on an ad hoc basis. EU home affairs commissioner Dimitris Avramopoulos noted that changes for faster data exchange within the Schengen system have already been adopted and that checks are currently possible, too. Avramopoulos agreed that member states need to improve their data exchanges. “Europol needs to receive all relevant information in order to track the travel routes of terrorists,” he said. [EU Observer] See also: [MEPs have “agreed to work towards a deal to share airline passenger data” before the year’s end.] [The U.S. intelligence community and its EU counterparts are negotiating legislation that would enable non-Americans to “seek judicial redress for intentional or willful disclosures of protected information”].

UK – UK Lords Try to Sneak Through Snooper’s Charter Once Again

A week ago, we noted that a group of UK Lords were trying to rush through the “Snooper’s Charter” that had previously been rejected by the UK. The bill, of course, was about giving the government tremendous levels of access to everyone’s electronic data with little oversight. Thankfully, despite having little notice, the attempt caused a flurry of attention and the Lords were forced to back off the plan. It seemed like another good “win” for supporters of privacy and democracy. Many people still expected the UK government to try again, but few expected it would happen so soon. Yes, less than a week after having the last attempt rejected vocally, the same group of Lords are trying yet again: On Saturday, ahead of a “report stage” debate on Monday (the Counter-Terrorism and Security Bill is almost fully baked), Lords West, Blair, Carlile and King introduced a new amendment that appears to be almost identical to the last, and to the Communications Data Bill before it. Again, this new amendment would force “telecommunications operators” – which these days includes the likes of Facebook and Skype, as well as traditional telcos – to store communications metadata for up to a year and hand it over to U.K. authorities when requested. This data retention regime may require the providers to install “specified equipment or systems.” [Source] [UK – Q&A: The UK’s controversial draft counter-terrorism laws]

EU – Germany’s BND Muscles in on Metadata Mass Surveillance

The leaked intelligence docs revealed that approximately one per cent of the metadata trawl every day is stored for up to 10 years. The remainder is discarded after weeks or months. Privacy group Access Now, which according to its website “defends and extends the digital rights of users at risk around the world”, called on the BND to curtail its NSA-style “collect-it-all” programme, with Germany being one of the most vocal international critics of NSA surveillance. [Vacuumed info flows into NSA-wannabe branch offices ] See also: [ European Commission is considering requiring telecoms to store communications data of EU citizens in order to fight terrorism] | [France’s interior minister is lobbying MEPs that a passenger name record bill “is an essential tool, among many others, needed to fight terrorism.”] | [Germany’s government has announced plans to widen data retention].

EU – German Bill to Bring Fundamental Change to Data Protection Law

Germany’s federal cabinet has approved a bill that will allow consumer organisations to take businesses to court if they do not comply with the country’s data protection laws. To date, consumer associations in Germany have had difficulty in challenging data protection shortcomings by companies, Appt said. The law previously required them to prove that a provision in a privacy policy is designed either to regulate market behaviour or to protect consumers, and civil courts have not generally qualified these provisions under either category. [Source] [What data protection reform will mean for obtaining ‘customer consent’] [ reports on the potential changes that may come with a German bill to extend consumer rights organizations’ ability to sue on behalf of consumers] | [The German government has approved a draft law that would, among other things, empower consumers to initiate legal action for injunctive relief against companies violating the data protection law: The National Law Review] SEE ALSO: Telecompaper: the lower house of the Dutch parliament has approved legislation requiring organizations to report data breaches] and [Telecompaper: the Dutch government responded to questions from Parliament saying its data retention legislation was implemented legally, and the justice minister reiterated the intent to maintain the law].

Facts & Stats

US – Survey: General Counsel Concerned with Ethics, Compliance, Breaches

According to the latest annual survey of general counsel and chief legal officers, 96% said the function of ethics and compliance was “important” for 2015 and about 25% said it was “extremely important,” more so than all other categories. Not far behind, however, are concerns about data breaches and protection of corporate data. Responsibility for compliance functions is increasingly being tucked back inside companies rather than outsourced to law firms, said Veta Richardson, CEO of the Association of Corporate Counsel, which conducted the survey. Other topics listed as concerns include privacy and whistleblower claims. [The Wall Street Journal]

WW – Survey: In-House Counsels have Data Breaches on Their Minds

For every Target Corp., it seems, there are several others that see their data systems breached. More than a quarter of the GCs surveyed reported experiencing a data breach within the last two years, a figure that reached a full 50% within the health-care industry. (As the WSJ reported last fall, general counsel in the financial industry are, among other things, demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.) [Nation’s In-House Counsel are Worried About Ethics, Data and ‘Trolls’  ]


WW – New Technology May Bolster Cryptocurrencies’ Success

Despite setbacks including a 67% drop in value last year, cryptocurrency advocates remain optimistic about Bitcoin’s future. And thanks to a new technology development, they may have good reason. Crypto 2.0 may help push cryptocurrencies to the mainstream. It’s essentially a layer built on top of Bitcoin’s underlying blockchain technology that enables a variety of applications—and they can be decentralized so they aren’t subject to one controlling authority. [Techonomy ]

CN – China Wants Banking Backdoors

Chinese authorities reportedly want to see the source code for all software and hardware that gets sold to its banking sector, as well as see vendors submit to rigorous audits and build government-approved backdoors into their products. But Western technology firms have reacted with alarm at the proposed “cybersecurity review regime,” and warned that it may soon be expanded to cover much more than just the banking sector. The draft Chinese banking regulations were contained in a 22-page report that was finalized at the end of 2014, and which is expected to be officially unveiled in the coming months as part of a Beijing-led cybersecurity push. The current version of the letter from Chinese authorities – which has reportedly been circulating in draft form in recent months, triggering escalating alarm from foreign technology firms – says 75% of the software and hardware products used by the Chinese financial services sector must be “secure and controllable” by 2019. The letter does not define what it means by those terms, but includes a chart specifying that for many types of computing and network equipment, vendors would have to share their source code with Chinese authorities. [Bank Info Security]


WW – 7 Things to Love About reddit’s First Transparency Report

We’re impressed by reddit’s first transparency report. In fact, the report tracks remarkably closely to EFF’s annual Who Has Your Back report, which rates companies on factors like requiring a warrant for content and informing users about government data requests. While we have no way to know whether reddit could have done more to fight government requests for user data, we can say with certainty that it adopted industry best practices in first-ever transparency report. [Source]

US – Canary Watch Tracks Sites FBI, NSA Haven’t Hit Up

While Internet service companies often want to be transparent about user privacy, they’re sometimes forced by law to stay mum on when they receive specific data requests from the National Security Agency or Federal Bureau of Investigation. However, there’s nothing stopping them from saying they haven’t received such requests, which is where a new website called Canary Watch comes in. The site tracks statements by websites like Pinterest, for example, saying they haven’t received national security requests, the report states. If those disclosures disappear, Canary Watch will flag that, “indicating that the site was likely served a warrant.” [Engadget]

WW – Governments’ Twitter Data Requests Up 40 Percent

Twitter released its biannual transparency report detailing the number of government requests for user data and noting a dramatic rise in the number of those requests. Government requests—coming in from more than 50 different countries—rose by 40% since its last report in July 2014. The U.S. “continues to make the majority of requests for account information,” Twitter stated in its report, “comprising 56% of all requests received.” In a column for The Atlantic reacting to the latest report, Adrienne LaFrance writes, “All of this is a reminder of one of the core principles of modern communication: that nothing is private on the Internet.” [The New York Times]

US – Jeb Bush Releases Emails But Doesn’t Redact PII

In a bid to be more transparent in anticipation of a possible run for the 2016 presidential election, former Florida Gov. Jeb Bush on Tuesday released all of his email transactions when serving as governor between 1999 and 2007. However, in his attempt to be more transparent for political reasons, Bush did not redact any personal information from the emails, including email addresses, contact information, medical data and Social Security numbers. [Full Story]


UK – Bioethics Report: “Consent” Is Not Enough

Obtaining individuals’ lawful consent to the processing of their health data does not on its own validate the processing as ethical, a health research body has said. The NCoB said that anonymising personal data and using it to advance medical science or health care was also not, on its own, sufficient to “guarantee” that the use of the data “is morally acceptable”. It said there was a need for “effective governance of the use of data”, after highlighting the potential clash between the public interest in using health data to further medical research and the sometimes competing public interest in protecting “individual privacy”. [Medical researchers and health care providers must consider moral as well as legal questions on data use, says bioethics body] [‘Public should be consulted on NHS medical data-sharing scheme‘]

US – DNA Database Raises Privacy Concerns

A state database containing DNA samples of 16 million Californians is raising concerns among privacy advocates and a state lawmaker. Samples are taken from virtually every baby born in the state to screen for more than 80 health disorders. The frozen samples are stored indefinitely and are shared with genetic researchers for a fee. California officials say the biobank is secure, but some are concerned the sensitive data can be misused. “Throughout the process,” Council for Responsible Genetics President Jeremy Gruber said, public knowledge and consent is “almost completely” absent. Assemblyman Mike Gatto (D-Glendale) said, “Imagine the discrimination a person might face if their HIV status or genetic predisposition to a mental disorder were revealed to the public.” [Los Angeles Times]

US – DNA Volunteers Concerned About Privacy

Science Magazine recently announced “the end of privacy” and, in an interview with NPR, Jennifer Couzin-Frankel, who writes for the magazine, discusses the privacy concerns hundreds of thousands of volunteers have about donating their DNA for medical research. Those concerns include, “Who’s going to have access to the DNA sample that I’m handing over?” or “How much control do I have over who studies it, what they do with it?,” Couzin-Frankel explains. While it was believed for some time that DNA samples could remain anonymous, recent examples have proven DNA sequences can be retraced, the report states. [Full Story]

Health / Medical

US – Data Security, Privacy Top Concerns for FDA, CMS

Officials from the Food and Drug Administration (FDA) and the Centers for Medicare and Medicaid Services (CMS) have said that data security and privacy are top concerns for their agencies. FDA Senior Technical Advisor Joe Klosky said the agency bakes in security and encrypts data, but operational and management controls are needed as well. CMS Office of Technology Solutions Director Janet Vogel said, “Because of the private nature of our data, we’re very sensitive to both privacy and security … Making it easy to have data protected at rest and in transit and in use is a really important feature that we’re looking for.” [Fierce Government IT]

US – Interoperability and Privacy are Buzzwords at 2015 ONC Annual Meeting

Lucia Savage, ONC’s chief privacy officer, emphasized that inconsistent rules about permissions to access, use, and disclose patient data are a key barrier to developing functional and interoperable systems nationwide. She noted that the current system is governed by a patchwork of state rules and often relies on handwritten patient consent—a fundamentally non-interoperable technology. [ONC (Health Info Tech) Meeting: Privacy a Buzzword ]

US – WPF Issues Report on Medical Data Protection in Schools

In light of recent news about measles outbreaks across the U.S., the World Privacy Forum (WPF) has released Student Privacy 101: Health Privacy in Schools—What Law Applies? to guide parents about what laws apply to medical data requests of students in schools. “School health privacy can be quite messy,” the WPF post states. “In some private schools, no health privacy law may apply at all,” whereas, in others, the Family Educational Rights and Privacy Act or Health Insurance Portability and Accountability Act may apply. The WPF’s new report “covers the basics of what laws apply, when and where.” [Full Story]

US – HIMSS Calls for Enhanced Privacy

The Healthcare Information and Management Systems Society (HIMSS) recently sent a letter to Congress calling for enhanced privacy measures and healthcare security initiatives. HIMSS has told Congress it must “recognize how important interoperability in health information technology is for the transformation of healthcare in the nation,” the report states, and has called for the public and private sectors to work together. “As the nation enters the fourth year of the Meaningful Use Program, we are at a critical juncture in using IT to improve patient care outcomes via nationwide adoption of EHRs and creating the ability to exchange health information privately and securely,” HIMSS stated. [HealthIT Security] [The Healthcare Information and Management Systems Society recently sent a letter to Congress calling for enhanced privacy measures and healthcare security initiatives]

US – Federal, State Health Sites Still Contain Ad Trackers and 16 state-based healthcare exchange websites still contain ad trackers weeks after an Associated Press report claimed the sites were leaking sensitive personal information. The Centers for Medicare and Medicaid Services (CMS), which recently said it improved site encryption and narrowed the amount of data flowing to third parties, stated, “One of the most cost-effective and best ways to reach the uninsured is through digital media and advertising.” The Center for Democracy & Technology’s Justin Brookman said, it’s “bad site design” adding, “Given that they collect such sensitive data, and given that they’re government services where people might not have a choice about visiting, I feel like these sites should really only share data with third parties when absolutely necessary.” [Advertising Age]

Horror Stories

US – Hack Hits 80 Million Anthem Customers

The country’s second-largest health insurer has announced hackers accessed and obtained tens of millions of current and former customer and employee accounts. Compromised data includes names, birthdates, Social Security numbers, contact information and other employee data. In a public letter, Anthem CEO Joseph Swedish, himself a victim of the hack, said, “As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.” Anthem has provided customers with an web page, complete with Swedish’s letter, FAQs and a tab to ask questions. Rep. Michael McCaul (R-TX) said, “This attack is another reminder of the persistent threats we face.” [Bloomberg] [Anthem Breach May Have Started in April 2014 ] [China To Blame in Anthem Hack? ]

WW – Malware Attack Could Be the Biggest Bank Theft on Record

The New York Times reports on what is potentially one of the largest bank thefts ever. Kaspersky Lab was recently called to Ukraine to investigate the crime, which went down without any of the normal signs of a robbery. More than 100 banks in more than 30 nations were involved when a group of international hackers penetrated the banks’ internal computers via malware that allowed them to mimic every move being made on the computers by bank employees. The software remained for months, allowing the criminals to see the banks’ daily routines and then impersonate employees—transferring funds in dummy accounts set up in other countries. Thefts thus far total $300 million, but that number is expected to triple. [Full Story]

WW – Kaspersky Lab: Bank Hackers Steal $100s of Millions via Malware

total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms. The majority of the targets were in Russia, but many were in Japan, the United States and Europe. No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information. [New York Times]

US – Could the Anthem Hack Happen Again? New Report Analyzes Insurers’ Cyber Security Programs

The New York State Department of Financial Services Report analyzes survey data collected from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report’s questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security. In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers’ overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management (“ERM”) reports that certain insurers filed with the Department. [Health Law Policy]

US – LinkedIn Settlement Moves Ahead; Google Buzz Case Thrown Out

A federal judge has tentatively approved a $1.25 million data breach class-action settlement with LinkedIn. U.S. District Court Judge Edward Davila said, “The settlement agreement falls within the range of possible approval as fair, reasonable, adequate and in the best interests of the class.” The preliminary judgment still leaves Davila room to reject the settlement after a final hearing, the report states. Meanwhile, a federal judge in California has thrown out a putative class-action contesting Google’s $8.5 million Google Buzz settlement. [MediaPost]

WW – TurboTax Halts E-Filing After Stolen Data Used To File Claims

TurboTax has halted electronic filing of all state returns amid reports from states of criminal attempts to obtain refunds through its systems. Intuit said its TurboTax unit took action last week after seeing individuals were making attempts to use stolen personal information to file returns, the report states. Intuit does not believe its systems were breached. Rather “the information used to file fraudulent returns was obtained from other sources outside the tax preparation process,” the company said, adding that an examination is ongoing. [The Wall Street Journal] | [J.F. Rice: A Look back at the top 20 data breaches of 2014]

Identity Issues

US – Data De-Identification: Useful Tool, But No Magic Bullet

FERPA regulations require educational agencies and institutions–and other parties that release de-identified education records–to take into account information that is “linked or linkable to a specific student”, as well as other reasonably available information about a student, so that the cumulative effect does not allow a “reasonable person in the school community to identify the student with reasonable certainty.” De-identification is not a single on-off switch. Nor is it a magic bullet. Instead, it’s a process. [Source] [Khaled El Emam: Is it safe to anonymize data?]

US – NIST Launches Grant Competition

The National Institute of Standards and Technology (NIST) is launching a competition for U.S. companies to earn grants to pilot online identity-verification systems that help improve the privacy, security and convenience of online transactions. According to the release, NIST intends to fund multiple grants of $1 million to $2 million per year, per project, for up to two years. Eligible institutions include higher education, nonprofits, commercial organizations and state, local and U.S. tribal government entities. Abbreviated applications will be accepted through March 17, and NIST will provide guidance in the form of an applicant’s conference and other avenues. [Full Story]

Internet / WWW

US – Federal ‘Internet of Things’ Report Triggers Debate, Senate Inquiry

The FTC report noted that despite the potential risks associated with expanding connectivity, new legislation dealing specifically with the IoT would be inappropriate. “Regarding legislation, staff concurs with many stakeholders that any IoT-specific legislation would be premature at this point given the rapidly evolving nature of the technology,” the FTC said in a statement. Sen. John Thune, (R-S.D.), chair of the Senate Commerce Committee agrees. “Standing on the cusp of technological innovations that will improve both the safety and convenience of everyday items, we shouldn’t let government needlessly slow the pace of new development. By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach,” Thune said in a statement on the IoT hearing. [Source]

UK – Microsoft Adopts Cloud Privacy Standard

In a blog post, Microsoft General Counsel & Executive Vice President Brad Smith writes that it is the “first major cloud provider to adopt the world’s first international standard for cloud privacy.” ISO/IEC 27018 seeks to establish uniform and global standards for protecting personal information in the cloud. The British Standards Institute has independently verified that Microsoft Azure, Office 365 and Dynamics CRM Online are all in line with the new standards. According to Smith, this matters because it gives users control of their data as well as an understanding about what is happening to it. Smith said strong security has been implemented to protect data and none of it will be used for advertising. Users will also be informed when a government has requested their data. [Full Story]

WW – Cisco Forecasts Global Wireless Data Traffic To Increase Tenfold by 2019

The increased use of smartphones and Internet-of-Things devices will precipitate a massive jump in wireless traffic around the world. A new forecast from Cisco predicts that global wireless traffic will increase by 10 times in the next four years. In 2014, wireless traffic reached approximately 30 exabytes (30 billion gigabytes) and will reach nearly 300 exabytes by 2019. The number of mobile users is expected to jump from 4.3 billion to 5.2 billion, or nearly 70% of the global population. Additionally, Cisco expects there to be 3.2 billion additional devices for machine-to-machine communication and 578 million wearable devices. Data from wearables alone could increase by a factor of 18, the report states. [Re/code]

US – FTC’s Soltani Warns About IoT Security

In a FTC blog post, Chief Technologist Ashkan Soltani discusses the security shelf-life of the Internet of Things (IoT). “I’d like to briefly explain why I believe IoT security is so important and why the IoT ecosystem presents a unique set of factors that give rise for special attention to security,” Soltani writes. He cites attributes including the ease of reprogramming small devices for reasons other than what was originally intended; the lack of interfaces for the consumer; the possibility of vulnerabilities to manifest across a large class of devices; the likelihood that inexperienced businesses will create new devices without appropriate protections, and the lack of incentives for manufacturers to provide consumers with security patches for low-cost devices such as lightbulbs and webcams. [Full Story]

Law Enforcement

CA – Kelowna RCMP ‘Routinely’ Breach Privacy During Strip Searches: Judge

“Videotaping inside strip search rooms and simultaneous broadcasting to a central monitoring location is a routine policy at the Kelowna detachment. That ‘routine policy’, breaches the intent and spirit of (case law). The interests of the police of maintaining safety in the search rooms and preserving evidence are not so compelling that they outweigh (the) expectation of privacy that her strip search not be videotaped and monitored remotely.” [Judge Ellen Burdett]


US – Advocates Concerned About FCC Location Data Requirements

“Americans dial 911 nearly 240 million times a year, and 70% of the calls are made on cell phones,” Newsweek reports, noting a 2013 study found that more than 10,000 people die each year because the location data wireless providers transmit to emergency personnel is insufficiently precise. So the Federal Communications Commission on Thursday voted 5-0 to improve the indoor location of wireless 911 calls, requiring major telecommunications companies to provide horizontal-location information, within 50 meters of a caller, and vertical information—what floor a caller is on—for 67% of emergency calls. In five years, they’d be required to provide that information for 80% of emergency calls. Civil liberties groups say the plan lacks any mention of privacy safeguards. [Full Story]

WW – Visa to Use Location Tracking To Detect Fraud

Visa will roll out a feature this spring that will allow its cardholders to automatically inform their banks when they are using the location function found in nearly every smartphone. Privacy experts are applauding the feature, saying, if used properly, it could cut down on credit card fraud and protect users. The feature is optional and can be deactivated at any time, the report states. Banks will be able to update their smartphone apps to include Visa’s new location-tracking software. If a customer opts in, the Visa software will establish a customer’s home area within a 50-mile radius and transactions that occur within that radius will be considered low risk. [The Associated Press]


WW – APEC Meetings Focus on Future of CBPRs, Updating Privacy Framework

From January 30 to February 3, the APEC Data Privacy Subgroup and its parent committee, the Electronic Commerce Steering Group, met in the Philippines for another round of negotiations and meetings. The meetings focused on implementing APEC’s Cross-Border Privacy Rules (CBPR) system; developing a corollary APEC recognition mechanism for data processors, and updating the APEC Privacy Framework, the report states. The CBPR system currently comprises the U.S., Mexico and Japan and will likely be joined by Canada later this month. Thus far, 10 companies have earned their CBPR certification under APEC-recognized accountability agent TRUSTe. The next round of meetings will be held in August. [Hunton & Williams Privacy and Information Security Law Blog] [Huntons] [Thailand has announced new regulations that, if implemented, would make shooting video with drones “illegal activity for civilians lacking prior permission“]. [Biometric Update: the United Arab Emirates intends to establish a free zone for financial services on Al Maryah Island and employee privacy will be a major component of the effort]

Online Privacy

WW – Google Advisors Recommend Limited RTBF Scope

An eight-person advisory panel appointed by Google released its much-anticipated report on how best to apply the Court of Justice of the European Union’s ruling on the right to be forgotten, recommending delisting only apply in Europe. The recommendations run counter to guidance provided by the Article 29 Working Party (WP29) but include a dissenting opinion from former German Justice Minister Sabine Leutheusser-Schnarrenberger. The report does recognize a global application “may ensure more absolute protection of a data subject’s rights,” pointing out that people outside of Europe have the right to access data online. The advisory council also expressed “concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent” to censor information in their nations. [GigaOM]

WW – Google Advisory Council: Right To Be Forgotten Should Not Go Beyond Europe

After listening to evidence about the ability to block international sites, the council was also concerned about a government’s ability to truly block specific websites and the precedence such a move would set. “The Council has concerns about the precedent set by such measures, particularly if repressive regimes point to such a precedent in an effort to ‘lock’ their users into heavily censored versions of search results,” said the report. “It is also unclear whether such measures would be meaningfully more effective than Google’s existing model, given the widespread availability of tools to circumvent such blocks.” [Source]

WW – Apps Will Share Data With Google Now

In a bid to bolster its hold on the online search market, Google plans to allow a host of third-party apps—including Airbnb, eBay and Lyft-to share data with Google Now, The Wall Street Journal reports. Google Now is a predictive search app, available for Android phones and wearables as well as the Chrome web browser. If users have the updated Google app and the Airbnb app on their phones, for example, the search history from Airbnb will be shared with Now. Previously, Google acquired search data from a user’s Google account search history. According to the report, more than 30 third-party apps will share data with Google Now. [Full Story]

EU – France – Paris Court’s Move to Export R2BF Worldwide

In the judgment for Mr. Shefet, the French judge relied on a specific point of the recent privacy ruling that said a company’s local subsidiary could be held liable for the activities of its parent. The judge ordered Google’s French subsidiary to pay daily fines of roughly $1,100 until links to the defamatory content were removed from all searches worldwide. [A Question Over the Reach of Europe’s ‘Right to Be Forgotten’ ]

Privacy (US)

US – Obama Issues Executive Order Promoting Cyber Info Sharing

Speaking at Stanford University, U.S. President Barack Obama announced a new executive order designed to promote private sector cybersecurity information sharing. Obama also said a national conversation on data encryption is needed. “I lean probably further in the direction of strong encryption than some do inside of law enforcement,” he said, “But I am sympathetic to law enforcement because I know the kind of pressure they’re under to keep us safe.” Sen. Tom Carper (D-DE) said the executive order “complements” his cyber info-sharing bill. Meanwhile, also speaking at Stanford, Apple CEO Tim Cook said, “We believe deeply that everyone has a right to privacy and security.” He added, “If those of us in positions of responsibility fail to do everything in our power to protect the right to privacy we risk something far more valuable than money—we risk our way of life.” [Full Story] [Privacy experts question Obama’s plan for new agency to counter cyber threats  ]

US – Data Protection Lacking Across Ed-Tech Sector

The New York Times reports on classroom technology for students and teachers and the apparent industry-wide gap in data security and privacy protection. One software engineer with two kids in elementary school said, “A lot of education sites have glaring security problems,” adding, “A big part of the problem is that there’s not even any consensus of what ‘good security’ means for an educational website or app.” After reviewing nearly 20 education technology products, the software engineer found other potential privacy vulnerabilities, including in districts’ social networks, cl assroom assessment programs and learning apps. [Full Story]

US – Franken Probes Samsung, LG Smart TV Privacy Practices

In the wake of privacy concerns stemming from the privacy policy of Samsung’s Smart TV Voice Recognition feature, Sen. Al Franken (D-MN) has sent letters to both Samsung and LG asking for more details about their data collection practices. “If such communications are unnecessarily captured along with voice commands,” Franken wrote, “is it possible to extract that data before transmission to a third party?” Samsung said it “supports Senator Franken’s commitment to consumer privacy and we appreciate the opportunity to respond to his inquiries regarding the voice recognition feature on our Smart TVs.” [PCWorld]

US – FTC Denies Proposed Verifiable Consent Method Under COPPA

Recognizing the importance of encouraging the development of new consent mechanisms and to provide transparency, COPPA allows parties to request that the FTC approve parental consent methods not enumerated in COPPA. The goal of this provision is to encourage the development of new verification methods that provide businesses with more flexibility. The process requires a detailed description of the proposed parental consent method and an analysis of how the method is reasonably calculated to ensure that the person providing consent is the child’s parent. The application is then published in the Federal Register for public comment. [HLDA]

US – Markey Report Reveals Automobile Security and Privacy Vulnerabilities

“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions. Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected,” said Senator Markey, a member of the Commerce, Science and Transportation Committee. “We need to work with the industry and cyber-security experts to establish clear rules of the road to ensure the safety and privacy of 21st-century American drivers.” [Markey]]

US – EFF Files Supreme Court Amicus Brief Over Warrantless Searches of Hotel Records

Central to City of Los Angeles v. Patel is a city ordinance requiring hotel operators to retain certain guest registry information, which they must make available to police officers on demand. Hotel operators aren’t allowed to challenge requests for guest information in court in advance and can be punished with a jail or fine if they refuse to comply. Citizens Have a Right to Challenge Laws That Violate the Fourth Amendment [EFF]

US – Does the Government Require Your Hotel to Spy on You?

The question is not whether private parties’ privacy expectations are reasonable. The Fourth Amendment asks whether government agents’ searches and seizures are reasonable. The petitions submitted by the City of Los Angeles and the U.S. government both treat the idea of “frequent, unannounced inspections” as a virtue of the statute. According to the government parties, innocent business owners, who are not suspects of any crime, should be subject to routine surprise inspections by government agents to make sure that they are performing surveillance of their guests for the government. … The Court should revisit the third-party doctrine and the “reasonable expectation of privacy test,” which produced it. [CATO]

US – Justice Department Drops Court Battle; Hands Document to Privacy Group

The Justice Department has agreed to turn over a legal opinion on surveillance and census data following a yearlong court battle with the Electronic Frontier Foundation (EFF). The department on Thursday dropped its appeal of a federal judge’s decision requiring it to provide the opinion to the EFF. The group sued to obtain documents on government surveillance, including a document that analyzed law enforcement access to census data, under the USA PATRIOT Act. A Justice Department spokeswoman said on Friday the department will turn over the document to the EFF. [Associated Press]

US – Judge: Heightened Risk of ID Theft Doesn’t Constitute Standing to Sue

A federal judge has ruled that the “heightened risk of future identity theft” isn’t enough to establish standing for a woman who filed a class-action lawsuit after her personal data was compromised in the 2014 hack of St. Joseph Health Systems. U.S. District Judge Kenneth Hoyt dismissed the suit after St. Joseph argued the woman had not suffered an injury traceable to the breach and hadn’t proved any quantifiable damage or loss. In his ruling, Hoyt cited Clapper v. Amnesty International USA, stating the plaintiff’s allegation that risk has increased doesn’t translate into “cognizable injury.” [Courthouse News Service]

US – Congress Considers IoT Regulation

The Internet of Things (IoT) was front-and-center during a Senate Committee on Commerce, Science and Transportation hearing that featured testimony from a wide spectrum of witnesses across industry sectors. At issue in the now Republican-controlled Senate committee hearing was whether the IoT and its many benefits can flourish unfettered in a free marketplace or if regulations are needed to mandate strong security, ensure privacy protections and manage other more technical issues around spectrum availability. [Full Story ] [CA – What Canadians can learn from FTC’s Internet of Things report]

WW – Managing Privacy in the Internet of Things

The data from all these things will be valuable not just to the companies that deploy them, but also to people or companies operating in other domains. For example, your thermostat might talk to your neighbor’s weather station to determine an appropriate temperature setting, and then switch on the heating when your phone’s GPS tells it that you’re nearing home. It’s this many-to-many and cross-domain aspect of connectivity that distinguishes IoT from earlier remote monitoring/control systems and M2M (machine-to-machine) systems, where only one organization created, owned, and used the data. In the IoT, each connection won’t be predetermined; these things should be able to structure their conversations on the fly, in an automated and ad-hoc manner. But this raises a number of questions and concerns around privacy, interoperability, and data-access privileges. [Source]

US – AGs Tell Anthem Notification Took Too Long

A group of 10 state attorneys general (AGs) sent Anthem a letter complaining about the length of time it took for the country’s second-largest health insurer to notify the public of its recent breach, Reuters reports. “The delay in notifying those impacted is unreasonable and is causing unnecessary added worry to an already concerned population of Anthem customers,” wrote Connecticut AG George Jepson, adding, “Anthem must commit to reimbursing consumers for any losses associated with this breach during the time period between the breach and the date that the company provides access to credit and identity theft safeguards.” The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island. The breach could cost more than $100 million. [Full Story]

US – POTUS to Announce New SIGINT Rules; ODNI Releases Report on Privacy Reforms

President Barack Obama will announce new rules “requiring intelligence analysts to delete private information they may incidentally collect about Americans” and plans to “institutionalize a regular White House-led review of the National Security Agency’s monitoring of foreign leaders.” Subsequently, the Office of the Director of National Intelligence (ODNI) has released a report outlining how it has implemented signals intelligence privacy and civil liberties reforms. An ODNI blog post notes that over the last 18 months, reforms have strengthened privacy, limited SIGINT data collection and use and increased transparency. “As this report shows, the intelligence community has made significant progress implementing many reforms,” the ODNI wrote, adding, “However, our work is not done.” [The New York Times]

US – Brill on Obama’s Proposals; Researchers on Adequate Privacy Protection

Last week was a busy one for Carnegie Mellon University (CMU): Three researchers published a review on people’s attitudes toward privacy and how they change given context, and the Federal Trade Commission’s Julie Brill spoke on the Internet’s “accelerating encroachment into our private lives.” During her talk, Brill advocated for the passage of three new laws unveiled recently by President Barack Obama. “I do think there’s a place for industry self-regulation,” Brill said, though thus far it’s proved insufficient. Meanwhile, “approaches that rely exclusively on informing or ‘empowering’ the individual are unlikely to provide adequate protection against the risks posed by recent information technologies,” CMU’s Alessandro Acquisti, Laura Brandimarte and George Loewenstein wrote in their review. [TNS]

US – Obama’s OLC Says Section 215 Cannot Apply to Census Data

In a First, Government Acknowledges the Limits of Section 215 ..the government released an opinion (pdf), written by the Office of Legal Counsel (OLC) in 2010, that concluded that Section 215—the provision of the Patriot Act the NSA relies on to collect millions of Americans’ phone records—does have a limit: census data. [Source]

US – Uber to Implement Privacy Program Recommendations

Uber announced it is strengthening its privacy programs as the result of an outside privacy assessment, laid out in a 40-page review. The ride-sharing start-up retained Hogan Lovells Partner Harriet Pearson, CIPP/US, and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.” This exclusive for The Privacy Advisor reports on the detailed review and includes comments from Pearson and Uber Counsel of Data Privacy Katherine Tassi. [Full Story ]

US – First-Ever Revenge Porn Conviction Handed Out

In a first-of-its-kind case, a San Diego man was convicted under a new California revenge porn law. Kevin Bollaert was found guilty of 27 felony counts for creating a website that hosted revenge porn and a secondary site used to extort hundreds of dollars from victims. The now-defunct website included sexually explicit photos of tens of thousands of women with links to their social media accounts. If a victim requested a takedown, she was directed to another site,, where victims had to pay for the images’ removal. They were also instructed to provide pictures of themselves holding signs with their birth dates. Bollaert now faces up to 20 years in prison. [NBC] [In a column for The Atlantic, Profs. Danielle Citron and Woodrow Hartzog explain the significance of the Federal Trade Commission settlement with the founder of a revenge porn website]

US – Why the FTC’s Revenge Porn Settlement Is a Big Deal

Danielle Citron and Woodrow Hartzog explain the significance of last week’s Federal Trade Commission settlement with the founder of a revenge porn website. Until recently, the law has “struggled to address emerging privacy threats, including invasion of sexual privacy,” for a number of reasons, including free speech and certain protections for online publishers. Citron and Hartzog note, however, a “budding movement … recognizing that information shared in confidential relationships deserves protection.” Plus, businesses “are now on notice that it is illegal to exploit information shared in confidence and with an expectation of privacy,” and, “Repurposing confidential relationships, and the information shared in them, for commercial gain could prompt action by consumer-protection agencies.” [The Atlantic]

US – Seattle Creates Set of Privacy Principles

Seattle launched its Privacy Initiative in November , led by the Seattle Police Department and Department of Information Technology, to define how the city collects, uses and disposes of data to both meet the city’s needs and build public trust. The City Council received a set of privacy principles that aim to establish a core foundation from which city employees will approach decision-making where their work intersects with personal data. The principles include provisions on valuing privacy; collecting and keeping only what’s needed; granting citizens choices when possible on how their data is used; staying accountable, and requiring third-party vendors to meet the city’s privacy standards. [Full Story]

US – Taking Photos Up Girl’s Skirt Appalling, But Not A Crime, Judge Rules

Defense attorney Mark Lawrence argued that Buono had taken the images in public, a place where no one can reasonably expect privacy. The law bans clandestine photography in bathrooms, locker rooms, dressing rooms and tanning booths — all places where people should expect privacy. But the aisle in Target was plainly public, Lawrence said. Plus, up-skirt sightings can occur by happenstance, he said, citing the famous photos of a wind-swept Marilyn Monroe. It could happen to anyone riding an upward-bound escalator, taking a spill, exiting a car. “These things are not only seen but video-recorded,” Lawrence said. “It’s incumbent on us as citizens to cover up whatever we don’t want filmed in public places.” On top of that, Lawrence noted, the girl was wearing underwear, and therefore was not nude, which the invasion of privacy statute requires. [Source]

US – After 18 Years at the CDT, Dempsey Moves to Berkeley

For Jim Dempsey, the decision to leave the Center for Democracy & Technology after 18 years was pragmatic. Traveling from his home in California to Washington, DC, as frequently as he was—a frequency that only increased with his involvement in the Privacy and Civil Liberties Oversight Board and his efforts toward ECPA reform—left him somewhat exhausted. But the pragmatism of his decision doesn’t mean he’s any less excited about where he finds himself now as a result of his decision to stay put: He’ll head up the Berkeley Center for Law & Technology as its executive director. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – “Privacy-Aware Research” Among Aggregated Health Competition Winners

The Health Data Exploration project has announced five recipients in its $200,000 Agile Research Project Competition. The project is based at the California Institute for Telecommunications and Information Technology and supported by the Robert Wood Johnson Foundation. The recipients were selected for their capacity to advance the use of aggregated and anonymous personal health data for research. They are Rumi Chunara of New York University, Julie Kientz of the University of Washington, Emil Chiauzzi from PatientsLikeMe, Michelle De Mooy of the Center for Democracy & Technology (CDT) and Eric Hekler of Arizona State University. The CDT’s De Mooy’s submission, entitled “Towards Privacy-Aware Research and Development in Wearable Health,” received $50,000 in funding. [Full Story]

WW – A Reverse-Engineering “Crypto Trick”; the Power of White Hat Hacking

Wired reports that security researcher Jacob Torry will present a new scheme that would make reverse-engineering code virtually impossible. The Hardened Anti-Reverse Engineering System (HARES) encrypts code that only allows decryption by the computer’s processor just before the code is executed, the report states. “It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits.” Gizmodo reports on a security researcher who figured out how to delete any photo album on Facebook using only four lines of code. Instead of exploiting it, the researcher reported it to Facebook. Meanwhile, Apple has announced it has extended two-factor authentication to Facetime and iMessage. [Full Story]

WW – Venture Capital Firm Invests in “Instagram for Doctors”

Venture capital firm Union Square Partners late last year “made an investment that was a bit unusual,” leading a $4 million funding round for Figure 1, a start-up targeting the medical industry with a social network that allows doctors, nurses, EMTs and other medical professionals to share medical images. Figure 1 “takes a popular and effective UI and applies it to an industry in desperate need of change,” said Union Square’s Fred Wilson. “In other words, an Instagram-like app dedicated to picture-sharing between medical professionals,” the report states, noting that because it “deals with medical data, its restrained by a host of privacy laws.” [FastCompany]


US – Obama Introduces Cyber-Enforcement Squad, Seeks $14 Billion for Cyber Defense

The White House has announced a new $20 million cyber unit to oversee dot-gov network security. The “E-gov Cyber” unit will also ensure that agencies notify victims of data breaches. Acting U.S. Chief Information Officer Lisa Schlosser said the division will “conduct data-driven, risk-based oversight of agency government-wide security programs.” Reuters reports that as part of the White House’s budget proposal, President Barack Obama is asking Congress for $14 billion in funding for cybersecurity across the U.S. government. A White House summary said, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal” sensitive data. [NextGov]

WW – 100% of IoT-Connected Home Security Systems Tested Security FAIL

HP researchers tested 10 of the newest connected home security systems and discovered the Internet of Things-connected security systems are full of security FAIL. “The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” wrote HP’s Daniel Miessler. …HP Fortify found an “alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based web interfaces.” …In a previous report, HP Fortify researchers found about 25 security vulnerabilities per Internet of Things device. In the report about home security systems, HP researchers said they don’t want to dampen your enthusiasm, but they do want you to be informed about the risks before activating these systems. Wouldn’t we be better informed if we knew precisely what IoT devices and security systems are full of fail? [ComputerWorld]

WW – Report: Most Malicious Apps Come From U.S.

A new report says the U.S. is the top developer of malicious and privacy-invasive applications, despite the fact that “conventional wisdom … often places the problem squarely in Asia.” The research was done by Marble Security and looked at countries with developers that published applications that were either directly malicious, handled data insecurely or posed a potential privacy risk, the report states. It focused on app marketplaces considered the most secure, Google Play and Apple’s App Store, and found that more than 42 percent of the dangerous apps came from companies or publishers identified as being in the U.S. [PCWorld]

WW – Russian Researchers Uncover Deeply Embedded Spyware

A Russian-based security firm has uncovered a highly secretive means of spying deep within the software used in most of the world’s hard drives. According to the Kaspersky Lab, personal computers in as many as 30 countries were infected with one or more spying programs. The report calls the implants part of the “Equation Group,” which according to The New York Times , is a “veiled reference to the National Security Agency” and the U.S. Cyber Command. Prof. Peter Swire told Reuters the disclosure could impact U.S. trade and diplomatic relations. “There can be serious negative effects on other U.S. interests,” he added. [Reuters]

US – Hacked Hotel Phones Fueled Bank Phishing Scams

Over the past two weeks, fraudsters have been blasting out SMS messages to hundreds of thousands of mobile users in the Houston, Texas area. The messages alerted recipients about supposed problems with their bank account, urging them to call a supplied number and follow the automated voice prompts to validate or verify their credit card account information. [Krebs]

WW – Product Puts Encryption Keys in Customers’ Hands

Key management system Box, which has been talking about letting customers manage their own encryption keys so they can store their data in the cloud and maintain control over who gets access to it, says its new product, Enterprise Key Management (EKM), does just that by putting “encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center.” While Box must still access customer data to enable sharing, it only happens when the customer wants it to, the company says. “Without EKM, Box could be forced to hand data over to the government without notifying the customer if the government request is valid and requires Box to keep it secret,” the report states. [Ars Technica]


US – EFF Has NSA Suit Partially Denied, Files Suit Over Airborne Surveillance

A federal judge has thrown out part of an Electronic Frontier Foundation (EFF) lawsuit against the National Security Agency (NSA), citing national security. U.S. District Court Judge Jeffrey Wright issued a 10-page order denying a portion of the suit against the NSA over its Internet surveillance of Americans’ communications but said he can’t fully explain his decision because doing so could pose “grave danger to national security.” Meanwhile, the EFF has also filed a lawsuit “seeking details of a Justice Department surveillance program that uses secret airborne technology to scan large numbers of Americans’ cell phones while hunting criminal suspects.” [The Wall Street Journal reports]

US – Canary Watch Site Will Keep an Eye Out for Vanishing Warrant Canaries

The way canaries work is that companies inform us, in their transparency reports, when their customers have not been served with a secret government subpoena. Such secret subpoenas, such as the National Security Letters empowered by the USA Patriot Act, come with gag orders that keep companies from telling customers they’ve been served. When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena. [Source]

US – FAA Releases New Rules for Drones;

Over the weekend, the U.S. Federal Aviation Administration (FAA) released a highly anticipated framework of regulations for unmanned aircraft systems (UAS), or drones. President Barack Obama released a memorandum to federal agencies on Sunday to ensure the government is respectful of citizens’ privacy and civil liberties when drones collect data while in flight. Obama made his first attempt to address the concerns that privacy advocates have raised about the increasing use of drones by government agencies. The directive orders agencies to limit the collection and retention of data gathered by unmanned aircraft. Local and state agencies receiving federal grants must also create drone privacy policies, according to the memorandum. While praising the effort as helpful, the ACLU said the directive fell short of the organization’s goal. [Bloomberg]

US – NTIA to Head Up Multistakeholder Process

Obama and the FAA issued an executive order calling on the National Telecommunications & Information Administration (NTIA) to carry out a multi-stakeholder process to create a code of conduct for protecting the privacy of U.S. citizens. The NTIA will have 90 days to initiate a framework for “privacy, accountability and transparency for commercial and private UAS use.” An NPR report notes the FAA proposal highlights safety over privacy. [Full Story]

US – Few Privacy Limitations Exist on How Police Use Drones

Members in the House and Senate introduced bills in the previous Congress that would have required police everywhere in the country to obtain a warrant before using drones for surveillance, but the bills died at the end of the year. “In the states that don’t require warrants, it’s pretty much a Wild West” in terms of what’s allowed, says Jay Stanley, senior policy analyst at the American Civil Liberties Union. “There’s nothing stopping a police department from using [drones] in all kinds of ways to spy, except for the Constitution.” [Only 14 states require law enforcement get a warrant to use drones for surveillance] Meanwhile, in Thailand, new regulations would make shooting video with drones “illegal activity for civilians lacking prior permission,” Slate reports

US – Poll: Folks OK With Police Drones – Private Ownership, Not So Much

Some 73% of respondents to a Reuters/Ipsos online poll said they want regulations for the lightweight, remote-control planes that reportedly have been involved in an increasing number of close calls with aircraft and crowds. People are also uneasy about potential invasions of privacy by drones carrying cameras or other devices. Forty-two percent went as far as to oppose private ownership of drones, suggesting they prefer restricting them to officials or experts trained in safe operation. Another 30% said private drone ownership was fine, and 28% were not sure, according to the survey of more than 2,000 respondents, conducted Jan. 21-27. [Americans : Poll]

US – Noflyzone Aims to Keep the Airspace Over Your Home Drone-Free registers each address along with its GPS coordinates, which are then relayed to drone manufacturers to create a geofence around the home and render their products unable to fly over the property. …The few drone makers who’ve signed on include HEXO+, Ehang, DroneDeploy, Yuneec, Horizon Hobby, PixiePath and RCFlyMaps. That list leaves out major drone makers DJI and 3D Robotics: big omissions, given that, according to TechCrunch, DJI alone “probably accounts for the vast majority of drone sales in the United States.” Even if the major drone makers do agree to go along with geofencing people’s homes at their request, it’s not clear that NoFlyZone has the right to protect personal airspace, which, at least in the US, is under the control of the Federal Aviation Administration. [NakedSecurity]

Telecom / TV

WW – Today in Creepy Privacy Policies, Samsung’s Eavesdropping TV

As an Electronic Frontier Foundation activist pointed out earlier today, via Twitter, the concept of a TV screen that might be snooping on your private conversations — and thus broadcasting a chilling effect by inculcating self-censorship within its viewers — is straight out of George Orwell’s 1984 …The Samsung example is just the latest privacy-related concern involving smart TVs — many of which routinely require users to agree to having their viewing data sent back to the TV maker and shared by them with advertisers and others simply in order for them to gain access to the service. But the clarity of wording in Samsung’s privacy policy is impressive — given it amounts to a warning not to talk about private stuff in front of your telescreen because multiple unknown entities can listen in. [TechCrunch]

WW – Privacy Worries Over Samsung TVs

Privacy Commissioner John Edwards said the function appeared to breach collection principles under the Privacy Act. “It is hard to imagine a lawful purpose for a TV manufacturer to collect voice communications not directed at the TV.” He said he would also look into the adequacy of the privacy policy disclosure. “Even if there was a disclosure of the fact of that kind of collection in the privacy policy, I’d be prepared to look at the fairness and intrusiveness of the practice.” [Source] [CBC: CA – Samsung SmartTV an ‘Absurd’ Privacy Intruder, Ann Cavoukian says]

WW – Samsung Says TVs Do Not Monitor Conversations

In a blog post, Samsung responds to media reports that, according to the company’s privacy policy, its new Smart TVs are capable of sharing private conversations with third parties—prompting some to compare it to George Orwell’s 1984. In the post, Samsung says its “products are designed with privacy in mind” and that voice recognition features “are enabled only when users agree to the separate Samsung Privacy Policy and Terms of Use regarding this function when initially setting up the TV.” Additionally, the company notes, users can activate and deactivate the service at any time. [Full Story]

WW – Samsung Edits Orwellian Clause Out of TV Privacy Policy

Relying on vague wording to obfuscate function and keep users in the dark as to how their technology really operates does no one any favors. It breeds mistrust and triggers overblown concerns. If the privacy policy sounds creepy, the implication is the service provider is also doing something creepy — or at the very least trying to hide its activity from plain sight. Which makes people naturally suspicious. …As the smart home takes shape, consumers are going to be asking increasingly probing questions about what previously-innocuous-but-now-connected-to-the-cloud home gizmos are actually doing with the data they’re sniffing. To keep buyers on side, device makers will not only need great services; they’ll need sparkling privacy and spectacular security too. A core part of the solution will be privacy by design, and privacy policies written in plain language that are displayed proudly, as an asset, held up in plain sight. [TechCrunch]

US – Senators to Push Privacy, Security Legislation for IoT

Sen. Edward Markey plans to introduce legislation to require security measures in connected cars. Markey’s legislation will require makers of wireless access points on connected cars to use penetration testing technologies and that collected data is encrypted. The legislation will also require that the car manufacturer or a security vendor be able to detect and respond to hacking attempts in real time. The bill will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation. [Source] [Will the internet of things finally kill privacy? [Why the FTC’s new report doesn’t go far enough]

US Government Programs

US – Majority of Journalists Believe U.S. Gov’t Has Spied on Them

A new report from Pew Research Center reveals that 64% of journalists surveyed think the U.S. government has collected information about their phone calls, emails or online communications, while eight out of 10 believe that simply being a journalist increases the likelihood of such intelligence gathering. However, only 14% of those surveyed said that such concerns have prevented them from covering a story about surveillance. Meanwhile, a UK tribunal ruled that some parts of intelligence gathering and sharing between the U.S. and UK are illegal. The Investigatory Powers Tribunal ruled that UK intelligence agency GCHQ broke the law when it received intelligence on millions of Britons from the U.S. National Security Agency. [Full Story]

US – New Agency Raises Privacy Concerns

The Guardian reports on concerns expressed by privacy advocates about President Barack Obama’s plans for a new Cyber Threat Intelligence Integration Center . “Given the number of other agencies that have cybersecurity threat integration responsibilities, it’s not clear that a new agency is needed,” said the Center for Democracy & Technology’s Greg Nojeim, adding, “We are keen to hear from the White House about the measures it will impose to ensure that this new agency operates transparently, with effective independent oversight, and does not become a repository for personal information unnecessary to counter cyber threats.” FireEye’s Tony Cole said, “They really could have just restructured” how the National Cybersecurity and Communications Integration Center works. [Full Story]

US – Senator Releases Harsh Report on Connected Car Privacy

Sen. Ed Markey (D-MA) has released a report warning of the data security and privacy issues with virtually every auto manufacturer. After sending inquiries to 20 automakers last year, Markey wrote, “unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions … Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.” Nearly every connected car on the market includes technologies “that could pose vulnerabilities to hacking or privacy intrusions,” the report found. Markey suggests industry work with cybersecurity experts “to establish clear rules of the road-not voluntary agreements” to better protect consumer privacy. [The Washington Post]

US Legislation

US – Trio of Reps Introduces ECPA Update

A bipartisan trio of House members is reintroducing a bill that would require warrants to obtain email or location information. Reps. Zoe Lofgren (D-CA), Suzan DelBene (D-WA) and Ted Poe (R-TX) are introducing the Online Communications and Geolocation Protection Act, an update to the Electronic Communications Privacy Act of 1986. “Fourth Amendment protections don’t stop at the Internet, and Americans rightly expect constitutional protections to extend to their online communications and location data,” Lofgren said. Similar bills have failed to get the votes needed to make it out of subcommittee. Other lawmakers are preparing to present a separate bill specifically focused on electronic communication, the report states. [The Hill]

US – State Bill Would Require Warrants for Digital Data

A bill that would require law enforcement agencies to secure a warrant before seizing U.S. citizens’ digital communications and electronic devices was reintroduced Monday in the California legislature. State Sen. Mark Leno (D-San Francisco) proposed the California Electronic Communications Privacy Act, which would prohibit government entities from forcing service providers to hand over electronic communication information without a warrant and from getting information from an electronic device from anyone except the “authorized possessor of the device,” the report states. A warrant would be required to get personal information from mobile devices, emails, text messages, contact lists and photos as well as for location information. [Courthouse News Service ]

US – Obama Student Bill Gaining Bipartisan Support

Behind-the-scenes efforts by the White House and lawmakers to get a student privacy bill off the ground. Presidential advisor John Podesta said, “I think there’s much more pressure now to move legislation and we’re certainly going to use all of the resources we have, including the president’s time, to ensure that the Congress takes this up.” In the coming weeks, Reps. Luke Messner (R-IN) and Jared Polis (D-CO) will unveil their student privacy bill. “Protecting America’s children from big data shouldn’t be a partisan issue,” Messner said, adding, “I’m glad to work across the aisle to find the appropriate balance between technology in the classroom and a parent’s right to protect their child’s privacy.” [Full Story] [The Flaws in Obama’s Cybersecurity Initiative]

US – Congress Tries ECPA Reform Once Again

Lawmakers in both houses of Congress are making a bid at revamping the 1986 Electronic Communications Privacy Act (ECPA). Reps. Kevin Yoder (R-KS) and Jared Polis (D-CO) are expected to introduce the Email Privacy Act with 223 cosponsors. Additionally, Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) will introduce a companion bill in the Senate. Though the numbers for reform are high, an attempt last year, which failed, had the support of 272 cosponsors. “We’re starting at a much stronger place,” Polis said. “We’re able to pick up the momentum from last time, show there’s overwhelming support for this bill.” [Full Story]

US – Bill Would Nix Access to Overseas Data

Sen. Orrin Hatch (R-UT) has proposed the Law Enforcement Access to Data Stored Abroad (LEADS) Act, which would require U.S. companies to turn over data stored on overseas servers only if the warrant targets a “U.S. person.” Hatch says the legislation would “promote international comity and law enforcement cooperation,” and Microsoft agrees that it would be a “very important step.” However, Internet Association President Michael Beckerman opposes the bill , saying it could weaken individuals’ online privacy. Acknowledging the problems government surveillance powers pose for Internet companies globally, Beckerman said, “the LEADS Act, as currently written, could incentivize data localization and therefore weaken user privacy.” [Ars Technica]

US – California Introduces Bill to Ban Warrantless Spying

“Especially after revelations of warrantless surveillance by the NSA, it is time for California to catch up with other states across the nation, including Texas and Maine, which have already updated their privacy laws for the modern digital world,” said Nicole Ozer, Technology and Civil Liberties Policy Director for the ACLU of California. [Source]

US – Bill Aims to Block U.S. from Reading People’s Old Email Without Warrant

A bill seeks to prevent the U.S. government from being able to look at Americans’ old emails without a warrant. “The government is essentially using an arcane loophole to breach the privacy rights of Americans,” Yoder said. “They couldn’t kick down your door and seize the documents on your desk, but they could send a request to Google and ask for all the documents that are in your Gmail account. And I don’t think Americans believe that the Constitution ends with the invention of the Internet.” [Source]

US – Proposed Bill Limits Reach of US Search Warrants on Overseas Servers

“Electronic communications are used extensively by criminals,” DOJ says. “In the end, we must strengthen privacy in the digital age and promote trust in US technologies worldwide by safeguarding data stored abroad, while still enabling law enforcement to fulfill its important public safety mission,” Hatch said. The bill was co-sponsored with Sens. Chris Coons (D-Del.) and Dean Heller (R-Nev.). [Ars Technica]

US – New Delaware Law Gives Executors More Access to Online Data

A controversial new state law is making it easier for estate executors to access digital data—such as email, photos and social-media postings—after the account holder dies. Many Internet companies strictly limit access to their customers’ accounts to the account holder, in accordance, they say, with federal privacy law. When an account holder dies, estate executors typically have to seek a court order to access the account, which can be expensive and time consuming—sometimes taking half a year or more—and isn’t always successful. But under a Delaware law passed last summer, executors can now access online accounts without a court order, unless the deceased has instructed otherwise. Similar legislation is under consideration in several other states. That’s an encouraging development to people like Andy Blair, an estate lawyer in Raleigh, N.C., who says his parents have thousands of family photos stored online. “Without a law like this,” he says, “I may never get access to those” after his parents die. But a group of Internet firms opposed the Delaware law, saying that it violates consumer privacy and may conflict with existing federal privacy law. [WSJ]

US – Other Legislation


16-31 January 2015


US – DHS to Roll Out Facial Recognition Along Border

The Department of Homeland Security (DHS) will unveil iris- and facial-recognition services along U.S. borders starting this summer. The U.S. Border Patrol will use the technology in conjunction with the FBI’s Next Generation Identification system. The move is part of an overhaul of the “IDENT” biometric system, which currently possesses more than 170 million fingerprints and facial images of non-U.S. citizens along with 600,000 iris templates, the report states. “While the photos do not satisfy some quality requirements for facial matching,” the DHS said it’s looking for ways to use the biometric data “with strong privacy and security protections in place to improve the accuracy of biometric identification/ /verification.” [Defense One] SEE ASLO: [Ars Technica: Law Enforcement, Advocate Face Off in Debate on Biometrics]

US Military Wants to Replace Passwords With “Cognitive Fingerprints”

Transparent, behaviour-based biometrics could provide the nudge that’s needed to push biometrics into the mainstream, but there are two major obstacles to overcome before that happens. The first is that you can’t change your biometrics – so what’s the equivalent of changing your password if you’re compromised? The second is that for all the frustration that comes with remembering (and forgetting) our passwords, we know and feel, tangibly, that they’re under our control. [NakedSecurity]

WW – The Rise of Emotion-Detection Tech

A number of companies are developing emotion-detection technology and the privacy concerns of emotion-detection’s pioneer, Paul Ekman. Ekman, an 80-year-old psychologist, fears he may have created a monster, according to the report. Start-ups such as Emotient, Affectiva and Eyeris are using Ekman’s research to drive their software. These companies are also compiling a large database “seeking patterns that can predict emotional reactions and behavior on a massive scale.” Ekman, who also serves as an advisor to Emotient, says he is torn between the technology’s potential and privacy issues including surveillance and notice and consent. [The Wall Street Journal]

WW – Psychological Profile-Based Security – Could It Work?

Fujitsu claims that its technology can assign security countermeasures based on a user’s psychological profile and risk tendencies – warning them ahead of time, before an attack can be carried out successfully. …Computer-based behavioral profiling is becoming very popular – recent research has found that algorithms can be more accurate at identifying personality traits and predicting behaviors than a person’s closest friends. Fujitsu says its behavior-based security tool can recognize what types of risks an individual is prone to, and direct countermeasures most appropriate to that person. [Naked Security]

Big Data

WW – Using Search Data to Explore “Socially Sensitive” Questions

Seth Stephens-Davidowitz shares his data-mining research on people’s perceptions and questions about sex by using Google search data. “Call it everything you always wanted to know about sex but didn’t have the data to ask,” he writes, noting that traditional surveys are not reliable in relation to such questions. By mining Google searches, Stephens-Davidowitz explores some of society’s more sensitive questions but wonders if he’s gone too far. Prof. Dan Ariely cautioned readers about the interpretation of this data, saying it may be skewed as, “Google is a reflection of what people don’t know and need extra information about.” [The New York Times]

UK – The Big Data Issue: Think Tank Calls for New Office of Responsibility

The proposed Office of Data Responsibility would help build British citizens’ trust in public bodies that use their data …For example the NHS’s scheme, under which patient data will be shared between GP surgeries and hospitals, was met with strong opposition. The failed implementation of a national ID cards scheme under former Prime Minister Gordon Brown is another case in point which shows public mistrust in the handling of data by public bodies. [Misco]

US – Big Data’s Disconnect: CXO Vs Employee Views

Executives other than CEOs, and especially lower-level managers, see the current status and benefits of data initiatives far differently than the CEOs, the survey shows. While 47% of CEOs think all employees have access to the data they need, only 27% of all respondents agree that they do. [Source]


CA – CSE Tracks Millions of Downloads Daily: Snowden Documents

Global sites for sharing movies, photos, music targeted in mass anti-terror surveillance: CBC analyzed the document in collaboration with the U.S. news website The Intercept, which obtained it from Snowden. The presentation provides a rare glimpse into Canada’s cyber-sleuthing capabilities and its use of its spy partners’ immense databases to track the online traffic of millions of people around the world, including Canadians. That glimpse may be of even greater interest now that the Harper government plans to introduce new legislation increasing the powers of Canada’s security agencies. [CBC]

CA – Federal Government’s New Terror Law Concerns Privacy Watchdog

Privacy watchdog is concerned about info sharing provisions in the Conservatives new terror laws, as PM Harper heads to Toronto to sell them. Privacy commissioner Daniel Therrien says he will be closely watching the wording of provisions aimed at increasing information sharing among government agencies. [The Toronto Star] See also: [The Canadian government may revise “the Passenger Protect system to make it easier to keep individuals from boarding planes.”]

CA – Expert Says Spy Agencies ‘Drowning in Data’ and Unable to Follow Leads

U.S. reports question effectiveness of bulk collection in hunt for terrorists. Under Levitation, the electronic spy agency was sifting through up to 15 million uploads or downloads each day from around the world as part of a counterterrorism effort. But, according to the presentation, only 350 downloads each month triggered any kind of follow-up — an extremely small portion of the indiscriminately collected data. The way the program worked was that the CSE tapped into collected metadata on those downloads. It then used the computer’s IP addresses to cross-reference that through at least two wide-reaching databases of metadata held by Canada’s spying partners to try to figure out a suspect’s identity and to further monitor that person’s online activity. [CBC]

CA – Project Levitation: Politicians Call for Cybersurveillance Oversight

Surveillance meant to protect homeland security may not protect Canadians’ privacy rights. Some politicians are calling for heavier oversight of the Communications Security Establishment’s eavesdropping service that accesses everyday Canadians’ online activity. [CBC]

CA – Anti-Terror Bill to Give Agencies More Authority to Share Private Info

The changes would allow information submitted in passport applications and on the movement of items such as automatic weapons, GPS systems or controlled goods that could be used in terrorist attacks to be shared with Canadian security agencies. Other measures Ottawa is preparing include reducing the threshold required to make preventive arrests or detentions of suspected extremists. [G&M] [G&M: Harper’s Anti-Terror Bill to Criminalize the ‘Promotion of Terrorism’] [Ottawa Citizen: Anti-Terror Bill: Can Government Balance Security and Civil Rights?]

CA – Canadian Police Spent $1.6 Million on an Unconstitutional Spying Program

VICE’s analysis of the records show that the RCMP paid over $1.6 million to Canada’s cellphone companies since 2010 in order to skirt the normal process of having these requests approved by a judge. [Source]

CA – Bill C-13: Cyberbullying Bill Introduces New Lawful Access Measures

According to many commentators, the current Act, by combining both cyberbullying and lawful access concepts into a single piece of legislation, has served to reduce public controversy as legislating to attack the increasing problem of cyberbullying is a popular proposition. As well, the lawful access measures contained in the Act are a far cry from those much more robust powers that were being proposed for law enforcement in the earlier lawful access bills. For instance, Bill C-30 provided for warrantless mandatory disclosure of basic subscriber information, a controversial provision that did not resurface in the current Act. Nevertheless, the Act has still served as a bit of a lightning rod for controversy in the media and with the public. [JDSupra] Canada reports on the effect the country’s new cyberbullying bill could have on business.

CA – Changes to Police Record-Check Policies to Remove Embarrassing Details

B.C.’s privacy commissioner says police forces across the province are implementing new policies preventing them from revealing embarrassing details in record checks. “We assume the presumption of innocence as well, so information that relates to a complaint that doesn’t go anywhere, a complaint to the police by say a frustrated neighbour, again that shouldn’t find its way into an employment check.”… Denham said the greatest number of complaints they heard were about disclosure of information of suicide attempts or apprehensions under the Mental Health Act. [Vancouver Sun] [Times Colonist: Police Told to Restrict Background-Check Detail]

CA – New N.W.T. Health Care Legislation Raises Privacy Concerns

Privacy Commissioner says Bill 36 could allow access to confidential health records. “This Act, this bill, says an investigator may demand any information from any person and it goes on to say you can’t refuse to provide that information,” says Keenan Bengts, Information and Privacy Commissioner for the N.W.T. That, she says, could put people in a position where they have to decide whether to comply with Access to Information laws or face up to $5,000 in fines. [CBC] [In Northwest Territories, legislation that would allow the regulation of naturopaths and psychologists has prompted concerns from Information and Privacy Commissioner Keenan Bengts that the bill could violate privacy] See also: [New Brunswick is reviewing its legislation governing access to information and protection of privacy, and the public is asked to provide feedback through March 31]

CA – B.C.’s Privacy Commissioner to Investigate Saanich Spyware Concerns

Saanich Mayor Richard Atwell revealed to media Jan. 12 his concerns about the installation of employee monitoring software on his and other computers at Saanich municipal hall. “My office has been closely following recent events in the District of Saanich, where allegations have been made that spyware is being used on district-owned computers to monitor employees with or without their consent,” Denham said. “In light of many outstanding questions and concerns, I have decided to act on my own motion and initiate an investigation into whether the District’s use of employee monitoring software complies with the Freedom of Information and Protection of Privacy Act.” [Source] [Embattled Saanich Mayor Could Have the Last Laugh] [Times Colonist: Mayor Atwell Received Computer Security Form, Didn’t Sign It]

CA – Commissioner Advises Businesses on Importance of Protecting Information

Therrien said his message isn’t just for major companies but for the thousands of smaller businesses operating across Canada as 98% of companies employ fewer than 100 people. …businesses that don’t have strong privacy controls risk losing their competitive advantage in today’s increasingly privacy conscious marketplace. …About a third of all private sector privacy complaints under Canada’s federal private sector privacy law appear to involve smaller businesses. Landlords, hotels, real estate agencies, collection agencies, travel agencies, independent local retailers and financial planners are among the types of businesses in the community that are at the centre of these complaints. [Source] [Federal Privacy Commissioner Embarks on Private Privacy Campaign]

CA – What Obama’s Mandatory Data Breach Reporting Law Could Mean for Canada

Some Canadian privacy advocates are hopeful that if Obama’s proposed law has teeth, they will be able to brandish it in front of Canadian lawmakers and demand changes for Bill S-4, which is currently in front of a House of Commons committee for review. Like other privacy advocacy groups, John Lawford and his team have made a request to appear in front of this committee. [IT Business]

CA – B.C. Agency Drops Unlawful Seizure Case Without Explanation

Mr. Schwarz’s 16-month fight to keep the home ended this week, when the office abandoned the attempt without explanation. The case — described by a civil liberties expert as “outrageous” — was another black mark for the agency, which has been criticized for the aggressiveness of its operations. Some have called it a cash cow. B.C.’s Civil Forfeiture Office has seized $6-million more in property than a similar agency in Ontario that was opened three years earlier. The B.C. office does not need criminal charges or a conviction to pursue a case. [Globe & Mail]

CA – New Canadian Certification Program Puts Privacy First

“If you can embed privacy as the default setting in every practice and program, whatever the default condition is, it will prevail 80% of the time,” said Cavoukian. “If you can give that kind of assurance to your customers, they will thank you with their repeat business and attract new business opportunities.” In order to promote this outlook in Canada, Cavoukian announced a “Privacy by Design” certification program that Ryerson University will be launching in partnership with audit firm Deloitte. It’s a program that will be rolled out in the coming months to any company, including those in the channel, who want to meet a benchmark for security and privacy in the solutions they offer. It tries to take a proactive approach to preventing data loss. [Computer Dealer News] [Practical Webcast Q&A: Financial Innovation – Building an Analytic Foundation Through Privacy by Design]


CA – Concern for Privacy Has Jumped, Survey of Canadians Finds

More than seven in 10 Canadians (73%) said they feel they have less protection of their personal information in their daily lives – the highest level in a decade. Meanwhile, 60% say they have little expectation of privacy today, either online or in the real world because there are so many ways in which their privacy can be compromised. The survey of more than 1,500 Canadians was commissioned by the Office of the Privacy Commissioner of Canada and published today on the occasion of Data Privacy Day.

[News Release – Office of the Privacy Commissioner of Canada] [CBC: Cyber Surveillance Worries Most Canadians: Privacy Czar’s Poll] [Daniel Therrien: Consumers Care About How Companies Treat Privacy] [Online Privacy and Banks: Has Anyone Asked the Millennials]

US – Study: Amazon Most Trusted Company for Privacy in 2014

The Ponemon Institute released the results of its 2014 Most Trusted Companies for Privacy Study. According to the study, Amazon was the most trusted company for privacy. Other companies named in the top 10 include American Express, PayPal, Hewlett Packard, IBM, Nationwide, USAA, LinkedIn, Apple, USPS, Intuit and Mozilla. “What these companies have in common is a strong orientation to respecting their customers and providing the best possible customer service,” the Ponemon study stated. Meanwhile, according to a new study by Truste , 45% of U.S. citizens think online privacy is more important than national security. [Full Story]

US – Survey: Customers Less Willing to Share Data

A survey of Media Network readers and members on issues facing the media industry on topics ranging from data usage to remote working to privacy. The most resounding responses were related to data and its use, the report states. Only 15% of members surveyed said they feel their customers are becoming more willing to share their data; the vast majority said they feel customers are “clamming up in the face of companies requesting increasing amounts of data.” Two-thirds of respondents said it’s clear customers are concerned about their data privacy. [The Guardian] See also: [Calgary Herald: How to Legally Fly a Drone in Canada]

WW – Global Survey Finds Tech in Need of Privacy Rules

A new survey released at the World Economic Forum finds divergent opinion about issues raised by technology but also consensus on the need for stronger privacy protections. Conducted by Microsoft, Views from Around the Globe: 2nd Annual Poll on How Personal Technology Is Changing Our Lives surveyed 12,002 Internet users from 12 countries over the course of the last year. “After the broad consensus about how the web brings us great deals and boosts business, there’s a deep divergence on many issues,” said Microsoft Chief Strategy Officer Mark Penn. With the exception of India, a majority of those surveyed believe technology has had a negative effect on privacy, while every country except India and Indonesia said current legal protections for tech users are not enough. [USA Today]

US – Young Americans Split on Favoring Security Over Privacy

Overall, 63% of respondents said that they would forgo personal privacy in order to allow the government to investigate possible terror threats. Only 32% deemed it more important to preserve privacy. However, younger Americans appear to put more value on personal privacy than do their elder counterparts. Among respondents ages 18-39, 52% favored the investigation of terror threats, while 45% put more weight on privacy. In comparison, 67% of those ages 40-64 labeled investigating threats more important, as did 75% of individuals age 65 and older. Almost 95% of users aged 14–17 had checked or changed their privacy settings on social network systems, compared to an average of just 65% across all age groups. The figure dropped to 77% and 67% for users aged 18–24 and 25–34 respectively. These younger age groups, all sitting above the broad average, contrasted with figures for older users – just under 55% of those aged between 45 and 54 had checked or changed their settings, falling to 52.7% for 55 to 64-year-olds, and 32.5% for seniors. … Young people are constantly learning to navigate new norms of privacy in these emerging and shifting social contexts. A 14-year-old may be concerned about whether her mother reads her Facebook posts to her boyfriend. A 17-year-old might worry about what potential employers think of party photos. And a 19-year-old may grapple with what is appropriate to post about her working day. [Source] [Source]

WW – A Retreat for Google Glass;a Case Study in the Perils of Making Hardware

The device was pre-emptively banned by bars and large parts of Las Vegas. Legislators in West Virginia tried to make it illegal to use the gadget while driving. “There’s no vision for why people actually need this device,” Mr. Gownder said. “That’s a problem. When you don’t have that, people fill that in with their own assumptions, and right now the assumption is that this is a device for recording people.” [NYT blog]


CA – CRTC Reports First Action Under CASL

Faced with uncertainties, organizations seeking in good faith to comply have awaited with anticipation the first decisions of the regulators, in the hope that the details of these decisions will assist in clarifying their compliance obligations. Unfortunately, those hopes will likely be dashed … The report is not a “report” per se, but rather is a press Release. Partially as a result of this, the Release reads more like a dispatch from the frontlines then a useful report on a CASL inquiry. [Lexology] [Financial Post: What You Need to Know About the Hidden, Rolling CASL Deadlines]

WW – The “Dirty Dozen” SPAMPIONSHIP: Who’s the biggest? Who’s the worst?

For years, the USA has come out at the top of our spam by volume chart. That has been a simple side-effect of cheap and fast internet access available to a large population that owns lots of computers. But China has been flirting with top spot for the previous year, and finally cracked that dubious honour in the last quarter of 2014. [Naked Security]

Electronic Records

CA – Anti-Abortion Activist Fired In Patient Privacy Breach

Anti-abortion activist fired after a hospital privacy breach in which hundreds of patient records and abortion files were inappropriately accessed. Ontario’s acting privacy commissioner, Brian Beamish, says that an investigation was launched after Peterborough hospital informed his office about a privacy breach. The commission found that the hospital had “responded reasonably” to the breach, he said. [Star]


US – Obama’s Data Security Plan: Do as I Say, Not as I Do

A recent report on data security practices, programs and defenses at the Department of Homeland Security points toward what may well be a horrible train wreck to come. According to the report, “Widespread weaknesses in the federal government’s information security practices represent a significant vulnerability that could be exploited by adversaries, creating a potential threat to national security and American citizens.” [ABC News]

WW – Global Encryption Market Could Top $2B

A new report from Allied Market Research states that the global encryption software market will reach as much as $2.16 billion in the next five years. And encrypted messaging company Wickr has released a new self-destructing photo feed that uses cat memes to encrypt data.

EU Developments

EU – Council of Europe: Mass Surveillance Does Not Stop Terrorists

The Council of Europe says mass surveillance is ineffective in the fight against terrorism, threatens human rights and violates the privacy enshrined in European law. A 35-page document drafted by Dutch MP Pieter Omtzigt says the EU’s member states should take measures before “the industrial-surveillance complex spins out of control.” The report provides recommendations to the European Court of Human Rights. [Vice News]

US – Report Finds No Substitute to Gathering Bulk Intelligence

“There are no technical alternatives that can accomplish the same functions as bulk collection and serve as a complete substitute for it; there is no technological magic,” the report said. … However, a blue-ribbon panel set up by Obama following Snowden’s revelations reported it could find no evidence that sweeping collection of the telephone metadata of Americans led to a single major counter-terrorism breakthrough. [Reuters]

EU – DPAs to Meet on Safe Harbor’s Future

German data privacy commissioners will meet in Berlin for their annual conference to discuss whether the Safe Harbor agreement between the EU and the U.S. should be scrapped. The meeting will allow German regulators to voice ongoing frustration over the lack of reform following the Snowden revelations, which revealed the NSA was collecting German citizens’ data. “I, as well as several of my German colleagues, have serious doubts about whether U.S. companies that have self-certified under the agreement can be considered to be in a safe harbor,” said Berlin’s commissioner for data and information. [ZDNet] [DPA: Data-Transfer Agreement Needed Now]

EU – Facebook Class-Action to Commence in April

A court date for a class-action lawsuit against Facebook has been set by an Austrian court. Scheduled for this April, the Vienna Regional Court will hear a case involving Max Schrems and his group Europe-v-Facebook. In the case, Schrems claims Facebook violates EU law by tracking users on external websites via social plugins. [PC World]

EU – Reding: Legislation Needed to Level Tech Playing Field

MEP Viviane Reding said European legislators are seeking to finalize negotiations on a digital single market that aims to level the playing field for European technology companies. “For months, European government officials and regulators have clashed with the likes of Google, and Facebook over everything from taxes to privacy,” the report states. Reding said she wants to see single-market legislation this year. “American companies come from outside and act as if it was a lawless environment to which they are coming. There are conflicts not only about competition rules but also simply about obeying the rules,” she said. [The Wall Street Journal] [The European Commission says it wants to have a single cross-continent data protection law in place by the end of the year, claiming it will bring major benefits to consumers and businesses]

EU – EDPS Buttarelli Says EU Must Be Global Voice Amidst Tensions With U.S.

“Europe needs to be at the forefront in shaping a global digital standard for privacy and data protection which centres on the right of the individual,” said European Data Protection Supervisor Giovanni Buttarelli. These comments came during a speech, as data protection tensions between the EU and U.S. rise. Buttarelli said he and Assistant Data Protection Supervisor Wojciech Wiewiórowski want to alter the office’s role to become advisory and supervisory, the report states. “The goal for my mandate is for the EU to speak with one voice on data protection, a voice which is credible, informed and relevant,” he added. [Euractiv]

EU – Other News

Facts & Stats

WW – Legislators, Industry Busy on Data Privacy Day

Lawmakers and other industry groups showed solidarity with Data Privacy Day. Senators sent U.S. Attorney General Eric Holder a letter questioning the Drug Enforcement Agency’s vehicle-tracking database. Co-chairs of the Congressional Bi-Partisan Privacy Caucus called for better privacy protections. Additionally, some industry groups called for a revamp of the Electronic Communications Privacy Act (ECPA). Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) also renewed attempts to overhaul ECPA. Separately, a Senate panel began work crafting cybersecurity legislation. Loretta Lynch, the current nominee for U.S. Attorney General, said electronic privacy protection will be a priority for her. Meanwhile, SC Magazine reports on how organizations can prepare for privacy legislation in 2015. [Broadcasting & Cable]

US – Benchmarking on Industry Use of PIAs

TRUSTe revealed results from a comprehensive survey of privacy professionals working across the globe and industry sectors for large organizations on how they implement privacy impact assessments (PIAs). Up to this point, there has not been much data available on industry use of PIAs. The two biggest obstacles for implementing PIAs, according to TRUSTe, are budgetary concerns and available time to conduct them. [Privacy Advisor]

US – OTA: More Than 90% of Breaches Preventable

A report released from the Online Trust Alliance (OTA) found that more than 90% of the data breaches that occurred from January to June 2014 could have been prevented. The OTA’s 2015 Data Protection Best Practices and Risk Assessment guides found 40% of the thousands of breaches analyzed were due to external intrusions; 29% by employees—either accidentally, maliciously or due to a lack of controls—and 18% resulted from lost or stolen devices. The report recommends companies enforce effective password management with multi-factor authentication and permit only authorized wireless devices to connect to company networks, among other recommendations. [MediaPost]

US – Info Security Leads All IT Spending

ESG research indicates “security/IT risk management initiatives” are the leading area for IT spending in the upcoming year, jumping from 34% of all responses in 2014 to 46% of all responses in 2015. Security issues have never before topped the list. It’s certainly not surprising, given reports like SC Magazine’s that “PCI compliance is not synonymous with security“ and SplashData’s that “123456” yet again tops the list of the most popular passwords . Perhaps, however, the private sector can look to its colleagues in the public sector. Nextgov reports survey results find that government agencies are actually better at responding to hacks than the private sector. [NetworkWorld]


WW – OECD, G20 Unanimously Endorse Global Automatic Information Exchange

This global automatic information exchange initiative is based on each jurisdiction’s participation in the OECD’s Multi-lateral Convention on Mutual Administrative Assistance in Tax Matters. The information exchange itself will follow the OECD’s Standard for Automatic Exchange of Financial Account Information in Tax Matters (first released in July 2014). This automatic information exchange “draws extensively on the intergovernmental approach to implementing FATCA” and is designed to be implemented via a combination of multi-lateral conventions and bi-lateral competent authority agreements….This is a significant development in the global trend towards information sharing. [Mondaq] [JD Supra: FATCA Data Sharing Goes Online] SEE ALSO: [WW – ‘The Age of Financial Privacy is Over’]

US – Credit Union Industry Wants Retailers Held to Equal Standards

The Credit Union National Association sent a letter to Congress saying retailers and banks should be held to the same standard. “The financial industry is required by law to develop and maintain robust internal protections to combat and address criminal attacks and (is) required to protect consumer financial information and notify consumers when a breach occurs” that could put customers at risk, the letter said. “The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes.” [The Hill] SEE ALSO: [The New York Times: Future of Lending May Focus on Behavior, Not Credit History]

CA – RBC Customer’s Bank Accounts Looted 3 Times by Identity Thieves

Bank says it took ‘reasonable steps’ to protect Meghann Johnston’s accounts, “I was extremely upset that time. This is the third time and they had accessed funds that I had delegated to something else and [RBC] had accepted the same fraudulent ID and this person just walked out with, again, thousands of dollars of my money.” Johnston says her wallet has never been stolen, so she doesn’t know how the fraudster or fraudsters got hold of her personal information. “I do not blame RBC for that, but I do blame them for refusing to institute higher security procedures for my account to prevent the fraudsters from doing this over and over again.” [CBC] [Krebs: How Was Your Credit Card Stolen? ]

WW – Improving the Privacy of the Internet Currency Bitcoin

Several Bitcoin users form a sort of sworn community in advance. To hide the source of their transactions, each one of them conforms to a certain pre-determined succession of actions – the so-called CoinShuffle protocol, which was developed by Kate and his team. Every participant decodes the list of recipient addresses he has received, adds his own to it and forwards the encrypted list to the next participant. This process is repeated with every participant. In this way they shuffle the order of the addresses and hence the traces to the recipient, similar to shuffling a deck of cards. [ECN Mag]


US – Library Strives to Archive the Internet

Is it true that what is on the Internet will stay there forever? “Chances are, though, that it actually won’t.” The report details posts and stories that have disappeared amidst the concerns that those embarrassing details live forever on the web. “Web pages don’t have to be deliberately deleted to disappear. Sites hosted by corporations tend to die with their hosts. When MySpace, GeoCities, and Friendster were reconfigured or sold, millions of accounts vanished,” the report states. With one study showing many URLs have ceased to link to the original information being cited, approximately 1,000 librarians and activists from across the globe are identifying acquisitions for the Internet Archive, a nonprofit library. [The New Yorker]


US – DNA Database Raises Privacy Concerns

A state database containing DNA samples of 16 million Californians is raising concerns among privacy advocates and a state lawmaker. Samples are taken from virtually every baby born in the state to screen for more than 80 health disorders. The frozen samples are stored indefinitely and are shared with genetic researchers for a fee. California officials say the biobank is secure, but some are concerned the sensitive data can be misused. “Throughout the process,” Council for Responsible Genetics President Jeremy Gruber said, public knowledge and consent is “almost completely” absent. Assemblyman Mike Gatto (D-Glendale) said, “Imagine the discrimination a person might face if their HIV status or genetic predisposition to a mental disorder were revealed to the public.” [Los Angeles Times]

Health / Medical

US – President Unveils Medical Research Plan

President Barack Obama wants to dedicate $215 million in next year’s budget to a research initiative that would be aimed at helping doctors develop personalized medical treatments for their patients. Obama unveiled his “Precision Medicine Initiative,” for which he says he has bipartisan support. [MSNBC]

US – Healthcare Privacy, Security Measures Included in ONC Draft

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology’s new draft roadmap. “Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Version 1“ aims to help share healthcare information and also maintain privacy. [HealthIT Security]

US – Raises New Privacy Concerns

New privacy concerns have been raised about the website that helps U.S. citizens get health insurance. A number of third-party vendors are embedded into the site, giving them potential access to user ages, incomes and zip codes as well as other details such as whether the user smokes or is pregnant. Although there is no evidence any such data has been misused, the amount of outside connections to the site worries some. Corporate cybersecurity consultant Theresa Payton said, “Vendor management can often be the weakest link in your privacy and security chain.” A spokesman for Medicare said vendors “are prohibited from using information from these tools on for their companies’ purposes.” [Associated Press] [New Privacy Concerns Over Health Care Website]

US – Advocates Want More from

Privacy advocates say the Obama administration needs to make more changes to protect consumer privacy on the government’s health insurance website. The administration scaled back the release of personal information from following a report that such details as consumers’ income and tobacco use were going to private companies that have “a commercial interest in the data,” the report states. The Department of Health and Human Services is adding a layer of encryption to the site. Advocates, however, continue to push for more protections. [PBS]

US – Lawmakers Concerned About Data-Sharing

Lawmakers pressed officials about consumer data on being shared with outside companies during a House hearing. The hearing follows revelations last week that the website was giving sensitive information about enrollees to private companies for advertising and data analysis, the report states, resulting in renewed privacy concerns. “They sell that information to any number of people,” said Rep. Dan Newhouse (R-WA), wondering “whether that makes the website more vulnerable.” Newhouse questioned an official from the National Institute of Standards and Technology on the issue, who declined to speak on specifics but said privacy concerns “are taken into account.” [The Hil]

US – Researchers: Health Apps Need to Get Better at Privacy

New research suggests security and privacy worries “are likely impeding the widespread use of thousands of mobile health applications since an overwhelming majority require access to sensitive personal data.” A team of researchers from Germany’s University of Cologne reviewed more than 24,400 English-language smartphone and tablet apps available in 2013. Nearly 95% of the apps “could cause ‘potential damage’ to users’ security and privacy through information leaks, manipulation, loss and value to third parties,” the report states. The researchers recommend app developers “be sensitized to potential threats” the researchers said, and focus on improved security and privacy protections. [FierceMobileGovernment]

US – OCR Criticized for Lack of Robust HIPAA Enforcement

Various privacy and security experts are criticizing the lack of robust enforcement of HIPAA violations by the Department of Health and Human Services’ Office for Civil Rights (OCR). Last year, the OCR said it would ramp up HIPAA audits of nearly 350 covered entities and 50 business associates, but, according to the report, that next phase has been delayed. At a media briefing last week, OCR Director Jocelyn Samuels said the agency will launch its next phase “expeditiously” but did not detail exactly when. Security consultant Tom Walsh said, “The delay could be like the ‘boy who cried wolf’ … After a while, organizations will begin to think, ‘It will never happen.’ Or, ‘It will never happen to us.’” [Gov Info Security]

US – Healthcare Breaches Need a Cure for Human Errors

As digital health records increase by the millions, criminals know that the biggest weakness in securing them is human, not technology. “Hackers are generally efficient – they look for the easiest path to exploit,” Berger said. “Unfortunately today, the weakest link is the employee population and their lack of security awareness. Phishing attacks are disturbingly successful. And it only takes one employee to get duped for the hacker possibly to gain their credentials and pivot to exploiting a database of PHI.” [CIO]

Horror Stories

US – VPPA Class Actions Remain

A number of U.S. courts are weighing privacy class-actions. federal judge dismissed a class-action claiming Dow Jones violated the Video Privacy Protection Act (VPPA), while Law360 reports that a recent court dismissal of VPPA claims against Google will not end such class-actions. Hulu viewers, for example, allege the company violated the VPPA when it shared data with Facebook. Separately, the Seventh Circuit has been urged to revive a data breach lawsuit against Nieman Marcus.

US – Privacy Concerns Over State’s Medical Marijuana Email to Patients

More than 6,800 patients received e-mails in the last three months telling them they’d been approved for Massachusetts’s medical marijuana program. The e-mails contained detailed personal information, much to patient advocates’ dismay. The state’s health department has started altering its emails, removing references to medical marijuana from the subject line and removing patients’ full names and unique program registration numbers from the body of the message. A Massachusetts attorney said the email notification violates a 2008 consumer protection statute by former governor Duval Patrick. [Boston Globe] See also: [Turbotax’s Database Knows Your Secrets]

AU – Teenage Hacker Leaks 870K ATC Records

In what Will Ockenden described in an ABC News report as “a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media,” more than 870,000 personal records from the December breach of insurer Aussie Travel Cover (ATC) have been shared on the Internet by a teenage hacker. “ATC was notified of the intrusion on December 23, but failed to immediately notify customers and policy-holders,” noting Queensland-based hacker Abdilo “stole troves of data from two of the company’s databases, which contained a total of more than 870,000 personal records” including names, addresses and partial credit-card numbers. [SC Magazine]

US – Home Depot Has Until July to Respond to Suits

Following one of the first court hearings for the class-action lawsuit following Home Depot’s data breach, the court gave the retailer “until July to respond to allegations that its massive data breach was caused by the company failing in its obligation to comply with security standards and to protect its customers’ personal information.” At a hearing last week in a U.S. District Court in Atlanta, GA, Judge Thomas Thrash also “established two separate tracks for the litigation, one for consumers and a second for financial institutions,” the report states, and gave Home Depot until July 1 to respond to consumer’s allegations and July 15 to respond to those of financial institutions. [Atlanta Business Chronicle]

Private Details Leaked After Travel Insurance Company Hacked

It’s a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media. But it’s not just the influential who’ve had their private details stolen. Database logs show it could affect hundreds of thousands of Australians. [ABC]

MX – Liverpool Systems Hack Could Cost More than $1M

A December attack on retailer Liverpool systems in Mexico could cost at least 107 million pesos (approximately one million USD), including compensation for damage to the company’s clients and any fines imposed by the data protection authority (IFAI). In the attack, cybercriminals accessed bank account information, addresses and personal information of customers. IFAI could fine the company 18 million pesos. Liverpool is the third largest issuer of credit cards in Mexico. (Article in Spanish.) [Full Story]

WW – If You Use Either of These WordPress Themes Update Them Now

Older versions of the Platform theme contain a remote code execution bug that could allow any attacker to completely take over a website running the vulnerable theme. Older versions of both Platform and PageLines contain a privilege escalation bug that could allow users with an account to turn themselves into an administrator with total control of a site. [Naked Security]

NZ – Abortion Data Handed Out By Mistake

The personal medical information from 2011-13 confirms the terminations took place in Tokoroa Hospital, Thames Hospital, Waikato Hospital and Anglesea Procedure Centre. The medical information includes dates of birth, National Health Index numbers, ethnic descriptions, termination details and the suburb in the town where the women live. The Ministry of Health is investigating and the health board has apologised for the breach. [Source]

US – 11th Circuit Allows FTC Data Breach Case Against LABMD to Proceed

The Eleventh Circuit did not address the issue of the FTC’s authority to enforce healthcare privacy standards. Instead, the Eleventh Circuit held that before a federal court will review the case, LabMD must first exhaust its administrative remedies, which means LabMD must first go through the FTC administrative hearing process until the FTC makes a final decision. The Eleventh Circuit ruled that only then will LabMD be able to ask the federal courts to weigh in on the FTC’s authority. [National Law Review]

US – Warehouse Fire Exposes Sensitive Documents

A highly visible fire in Brooklyn, NY, has exposed reams of sensitive documents, including decades’ worth of medical records, court documents and financial data. One observer said of the documents, “They’re like treasure maps but with people’s personal information all over them.” The city has sent a disaster-recovery team to collect the exposed documents, even though “beachcombers sifted freely through the trove of documents, picking their way through remnants of the days when many records were on paper and the city government was one of the few takers for north Brooklyn’s waterfront land.” [The New York Times]

Identity Issues

WW – Researchers Can Identify Anonymous Shoppers

By using relatively few pieces of data, researchers were able to identify “anonymous” shoppers. In a study called “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata,” a group of data scientists analyzed credit card transactions of 1.1 million shoppers in 10,000 stores during a three-month period. Though the data had been stripped of personal details, including names and account numbers, knowing four random pieces of data was enough to reidentify 90% of the shoppers, the report states. The research is part of a larger special issue of Science , dedicated to “The End of Privacy.” [The New York Times] [Associated Press]

US – Experian Launch Fraud Surveillance and ID Theft Resolution Offering

ProtectMyID® now includes payment card fraud monitoring at consumers’ fingertips with the BillGuard mobile app … Members of Experian’s ProtectMyID can now download the BillGuard mobile app and access both their ProtectMyID alerts and BillGuard features within the BillGuard mobile app. [NewsWire]

Intellectual Property

WW – How to Hide Your Online Identity With a VPN Service

VPN services mask user’s locations and help them stay hidden on the internet. It’s still unclear if VPN services located in Canada or operating within the country will be subject to the section of Canada’s Copyright Modernization Act that forces ISPs to send out notice-and-notice letters to their customers, given how ambiguous the language in the act currently is. Some VPN services like Toronto-based Tunnelbear have already banned the use of Torrents on their network in order to avoid future legal complications. [Source]

Internet / WWW

US – FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks

A new FTC report recognizes that rapid growth of connected devices offers societal benefits, but also poses risks that could undermine consumer confidence. The report takes a flexible approach to data minimization. Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected. [FTC] SEE ALSO: [Privacy Law Blog: US and UK Regulators Position Themselves to Meet the Needs of the IoT Market] | [Tech Liberation: Some Initial Thoughts on the FTC Internet of Things Report] | [TechCrunch: What Happens to Privacy When the Internet is in Everything?] | [CSO Online: Five Myths (Debunked) About Security and Privacy for Internet of Things]

UK – Regulator Calls for International Standards

Ofcom, a telecommunications regulator in the UK, has called for international industry standards on privacy in the Internet of Things (IoT). In an outline published the same day the U.S. FTC released a highly anticipated report on IoT , Ofcom wrote, “We have concluded that a common framework that allows consumers easily and transparently to authorize the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector,” adding, “We consider that these approaches should ideally be agreed internationally where possible, so as not to inhibit sale and use of IoT devices and services across international boundaries…” [GigaOM]

WW – At World Economic Forum: Researchers Say Privacy is Dead

Harvard professors at the World Economic Forum in Davos pronounced that privacy is effectively dead. “Privacy as we knew it in the past is no longer feasible,” said Margo Seltzer, a professor in computer science at Harvard University. Another researcher said intelligence agencies’ use of personal genetic information will increasingly enter the public sphere and that, “We are at the dawn of the age of genetic McCarthyism.” [The Daily Mail] [Privacy Is Dead, Davos Hears]

WW – Commissioner Calls for New UN Agency

In Davos this week, the European Commissioner for the Digital Economy said a UN agency for data protection and data security is needed to protect the confidential and personal information of citizens around the world.

US – Microsoft’s Smith: Laws Need to Be Modernized

Microsoft’s Brad Smith “has called for an accord between the EU and the U.S. to make it easier for law enforcement authorities to access and share citizens’ data,” Financial Times reports. Meanwhile, during the Charlie Hebdo attacks in France, “Microsoft Corp. handed the FBI data linked to the Charlie Hebdo probe within an hour of being asked,” prompting Smith to point out “the system can work and that extra snooping should only happen if strictly regulated,” the report states. Smith noted laws should “be ‘modernized’ to allow the rule of law, including the Internet, to work across national borders,” the report states. [Bloomberg Businessweek]

UK – ICO Investigation Prompts Google to Change Privacy Policy

The UK Information Commissioner’s Office (ICO) has announced Google will sign an undertaking requiring it to be more transparent about how it collects and uses personal data through its services. According to an ICO press release, Google has been too vague in how it processes users’ data. ICO Head of Enforcement Steve Eckersley said, “Google’s commitment today to make these necessary changes will improve the information UK consumers receive when using their online services and products,” adding that organizations need “to properly understand the impact of their actions and the requirement to comply with data protection law.” Google must now make the necessary changes by June 30 and “take further steps over the next two years.” [Full Story]

WW – TRUSTe Approved as APEC Accountability Agent

The 21 APEC Member Economies have unanimously approved TRUSTe as an Accountability Agent for its Cross-Border Privacy Rules (CBPR) System. The CBPR System is a self-regulatory code of conduct addressing cross-border data flow between member economies; currently Japan, Mexico and the U.S. participate in the program. “As an Accountability Agent, TRUSTe will continue to review, certify, monitor and enforce the privacy practices of participating U.S.-based companies or subsidiaries to ensure compliance with the CBPR system,” the release states. [Full Story]

Law Enforcement

US – Gov’t to Pay for Impersonating Woman on Facebook

In a settlement announced this week, the federal government agreed to pay $134,000 to a New York woman, Sondra Arquiett, who accused a Drug Enforcement Administration agent of impersonating her on Facebook without her permission. In 2011, the agents impersonated Arquiett by creating a Facebook page of her posing with her son and niece to investigate an alleged drug ring. Privacy advocates are worried such tactics pose unique threats, the report states. Meanwhile, lawmakers on the Senate Judiciary Committee raised concerns yesterday about radar devices that allow police officers to effectively see into suspects’ homes. [The Wall Street Journal]

US – Body Cameras for L.A. Police: Access to Video, Privacy Among Concerns

Some San Fernando Valley residents are concerned about privacy and access to LAPD body-camera footage. “We’re going to be having on-body cameras,” Soboroff said. “American law enforcement is going to have on-body cameras. It’s a transformational movement in law enforcement.” [LA Times]

US – Law Firm Takes on Revenge Porn

In September, Pittsburgh-based law firm K&L Gates launched its Cyber Civil Rights Legal Project in order to advise victims of revenge porn, and it now has about 50 lawyers volunteering their time. The program advises victims on legal steps to sue for damages and “works with victims to consider the pros and cons of reporting online abuse to prosecutors.” One novel approach the firm takes is to use copyright law to sue people for unauthorized posting of images. “Copyright is not designed to deal with revenge porn; it just happens to give you a remedy,” says K&L Gates Partner David Bateman, noting it’s not “perfect and won’t be available in all situations.” [The New York Times]

US – FTC Charges Website Operator for Revenge Porn Deception

The FTC has charged an operator of an alleged revenge porn website for using deception to acquire intimate photos of women then referring them to another website he owned where they could have their photos removed for hundreds of dollars. Craig Brittain is banned from publicly sharing such intimate photos without the subjects’ affirmative express consent. He must also destroy the photos in his possession and the contacts made while operating the site. FTC Bureau of Consumer Protection Director Jessica Rich said, “This behavior is not only illegal but reprehensible,” adding, “I am pleased that as a result of this settlement, the illegally collected images and information will be deleted and this individual can never return to the so-called ‘revenge porn’ business.” [FTC press release]

US – Gov’t Has Massive License-Plate Database; Police Want Waze to Go Away

The U.S. Department of Justice has built a nationwide database to track the movement of vehicles in real time. The covert intelligence program scans and retains hundreds of millions of motorists’ records. According to documents acquired by the American Civil Liberties Union (ACLU), more than 100 cameras in at least seven states have been set up to snap shots of and store license plates of every passing vehicle. Records on vehicles that are not part of existing investigations have their images deleted after six months, a time period the ACLU argues is “far too long.” Meanwhile, some law enforcement officials are concerned that mobile traffic app Waze can be used by bad actors to hunt and harm police officers. [The Wall Street Journal] [Police Can’t Have It Both ‘Waze’ on Expectation of Privacy In Public]

US – GPS Act Would Restrict Cops’ Use of ‘Stingrays’ and Other Phone Surveillance Tech

Many local, state and federal police agencies using Stingrays first bought them with the stated intention to use them to fight terrorism. Since Stingrays have become more prominent, police have reluctantly admitted using them to investigate crimes including murder and cell phone robbery. A November Wall Street Journal report revealed that the U.S. Marshals Service has flown Cessna airplanes equipped with Stingray-like devices known as “dirtboxes” in the sky over at least five major U.S. airports. [IB Times]

US – Lawmakers Push to Require a Warrant for GPS Tracking by Police

“Buying a smartphone shouldn’t be interpreted as giving the government a free pass to track your movements,” Sen. Ron Wyden (D-Ore.), one of the bill’s authors, said in a statement. “GPS data can be a valuable tool for law enforcement, but our laws need to keep up with technology and set out exactly when and how the government can collect Americans’ electronic location data.” Courts have so far been mixed about which legal protections apply for information about people’s location. [The Hill]

US – New Police Radars Can ‘See’ Inside Homes

At least 50 U.S. law enforcement agencies quietly deployed radars that let them effectively see inside homes, with little notice to the courts or the public. Those agencies, including the FBI and the U.S. Marshals Service, began deploying the radar systems more than two years ago with little notice to the courts and no public disclosure of when or how they would be used. The technology raises legal and privacy issues because the U.S. Supreme Court has said officers generally cannot use high-tech sensors to tell them about the inside of a person’s house without first obtaining a search warrant. [USA Today]

US – Video Rule for TTC Hampers Hunt for Sex Attacker

Efforts to track the man down have been hampered because security camera footage from the bus was erased by the time investigators went looking for it…After 15 hours of operation, video stored within cameras on buses and streetcars is “overwritten,” explaining that time limit was mandated by Ontario’s privacy commissioner when the TTC installed the cameras. [Toronto Sun]

US –Seized-Asset Sharing Process Split Billions With Local, State Police

Attorney General Eric Holder is barring local and state police from using federal law to seize cash, cars and other property without proof that a crime occurred – the most sweeping check on police power to confiscate personal property since the seizures began three decades ago. Holder’s decision allows limited exceptions, including illegal firearms, ammunition, explosives and property associated with child pornography, a small fraction of the total. This would eliminate virtually all cash and vehicle seizures made by local and state police from the program. [Washington Post] [PBS: Will Federal Reforms on Civil Forfeiture Mean More Police Accountability?]


US – Advocates Concerned About FCC Location Data Requirements

“Americans dial 911 nearly 240 million times a year, and 70% of the calls are made on cell phones,” noted a 2013 study that found that more than 10,000 people die each year because the location data wireless providers transmit to emergency personnel is insufficiently precise. So the FCC voted 5-0 to improve the indoor location of wireless 911 calls, requiring major telecommunications companies to provide horizontal-location information, within 50 meters of a caller, and vertical information—what floor a caller is on—for 67% of emergency calls. In five years, they’d be required to provide that information for 80% of emergency calls. Civil liberties groups say the plan lacks any mention of privacy safeguards. [Newsweek]

US – Using the FTC Casebook to Find Your Geolocation Strategy

The IAPP Westin Research Center has launched its FTC Casebook. This digital resource, free only to IAPP members, contains the more than 180 FTC privacy and data security enforcement actions the FTC has initiated since 1998, each one tagged, indexed and full-text searchable. The Casebook’s benefits and functionality (which have been described, narrated and reviewed over the past week) were developed with the intention of making IAPP members roles as a privacy professionals a little easier.


The Compliance Challenges That Can No Longer Be Ignored

APEC members Singapore, Malaysia, the Philippines, South Korea and Taiwan, have all passed comprehensive data privacy regimes in the past five years. India enacted an IT law in 2011, which tracks a similar principle-based approach to data privacy. Perhaps most significantly, China has also passed a whole raft of legislation in this area in recent years, both industry specific and of more general application. [HLDA]

Online Privacy

US – No ‘Right to Be Forgotten’ Even if Record is Expunged: 2nd Circuit

After her record was expunged, Martin asked news organizations to take down the articles. Hearst and News 12 Interactive refused, arguing that they had accurately reported the fact of Martin’s arrest. So in July 2012, Martin sued Hearst and News 12 in federal court in New Haven, Connecticut, for libel, invasion of privacy and infliction of emotional harm. The news stories they refused to change or delete, her lawyers said, may have been accurate at the time of her arrest. But once the state erased her record, they argued, stories of her arrest were false and defamatory. The 2nd U.S. Court of Appeals sided with the news organizations and upheld the dismissal of Martin’s case. The erasure of Martin’s record, wrote Judge Richard Wesley for a panel that also included Judges John Walker and Dennis Jacobs, does not change historical truth, however much she might wish otherwise. “The Moving Finger has moved on,” Wesley wrote, paraphrasing Omar Khayyam. The opinion also cited previous rulings in which state courts in New Jersey, Oregon and Massachusetts held that expungement statutes don’t change history, merely what former defendants are permitted to say about the past. [Reuters] [Courthouse News: Woman Can’t Scrub Arrest from the Internet]

US – Circuit: Reports of Dismissed Arrest Not Libel

“In short, the Erasure Statute requires the state to erase certain official records of an arrest and grants the defendant the legal status of one who has not been arrested,” Wesley said. “The statute creates legal fictions, but it does not and cannot undo historical facts or convert once-true facts into falsehoods.” Here, it was uncontroverted that Martin was arrested and the reports of her arrest were true. “Neither the Erasure Statute nor any amount of wishing can undo that historical truth,” he said. “The Moving Finger has written and moved on.” [New York Law Journal] [Wall Street Journal: Some Things Should Not Be ‘Forgotten’] | [Right To Be Forgotten and Right To Be Remembered]

US – Verizon to Allow Opt-Out of “Supercookies”

Verizon has agreed to allow users to opt out of “supercookies” after criticism from privacy advocates and others that included a consumer petition circulated by the EFF and calls from Consumer Watchdog for regulators to tighten the data-sharing regulations on wireless carriers. Sen. Bill Nelson (D-FL) said the Commerce Committee will investigate the company for its use of “supercookies,” and in a letter for Fusion , tech reporter Kashmir Hill tells the company, “Putting a tracking code on my Internet activity without telling me or giving me a right to say no is not okay.” While this change represents an about-face, EFF Lawyer Nate Cardozo says, “What they really should be doing is opt-in.” [New York Times] [EFF: How Verizon and Turn Defeat Browser Privacy Protections]

US –Turn Suspends “Zombie” Cookie Program

After a ProPublica report on so-called “zombie” cookies used by Turn and Verizon, Turn has announced it is suspending the program pending re-evaluation. Turn Chief Privacy Officer Max Ochoa wrote, “We are confident that our practices, including the re-association of a Turn cookie ID with a Verizon UIDH (Unique Identifier Header) comply with self-regulatory guidelines and principles regarding consumer opt-out through these tools,” but added, “we have heard the concerns and are actively re-evaluating this method.” He said by February, Turn will not “respawn” cookie IDs associated with Verizon’s UIDH. Ochoa also noted that, “As part of this re-evaluation, Turn is engaging with media and industry participants including advocates to further educate and inform regarding industry-wide practices.” A Verizon spokeswoman told AdAge, “The intent of the UIDH is to be used as part of our advertising programs, which have robust privacy protections, not as described in recent media reports.” [Full Story]

WW – Datacoup Wants Users to Monetize Their Data

Yahoo CEO Marissa Mayer said technology firms must give users the ability to control their data in order to strengthen trust in the digital marketplace. “I think controlled consent, the idea that you are actively acknowledging what you’re doing and are being very open about how the data is being used and where it’s going to flow” is the future, she said, adding, “We take active commercial decisions not to do certain things with data.” CNBC reports on Datacoup, a company attempting to give users the ability to aggregate and monetize their personal data. “If people begin to understand what their data is worth by using a service like Datacoup, Google’s revenue model (could) collapse,” one analyst said. [The Drum]

UK – Data Protection Issues of Growing Importance to Retailers, Says Expert

Addressing data privacy and security issues is becoming an increasingly critical function of UK retailers’ business, a legal expert in the retail sector has said. “Cyber security is sufficiently important to demand the attention of senior managers and board room members in the retail sector,” Leman said. “For the chief information officer, they will want to know just how good the security measures deployed by their company are, whilst general counsels need to be confident that they can demonstrate their business did everything it could to protect data and had an effective incident response plan the company acted on in the event of a breach. The Target data breach case in the US highlighted the importance of IT security to retailers as well as the consequences there can be for senior executives and their jobs.” [Out-Law]

US – Companies Launch Offline-Online Ad Retargeting Platform

A Norway-based startup and a U.S. location-based marketing firm have announced plans to launch a global partnership with the ability to use data gleaned from in-store beacons to retarget consumers online. Together, Unacast and Total Communicator Solutions hope to accomplish an industry first by connecting the offline and online shopping worlds. The platform works when shoppers install the app and turn on Bluetooth on their phones. If they’ve opted in, when they walk into a store to look at shoes, for example, they’ll receive a personalized message; plus, days, weeks or months later, they will likely see ads for the products they browsed while in the store. [Business Insider] [Now Advertisers Can Use Beacons to Make the Shoes You Were Looking at Inside a Physical Store Follow You Around the Internet

US – FTC’s Rich Warns Ad Industry About Privacy

FTC Consumer Protection Director Jessica Rich expressed strong words to ad companies at an industry event. She said the industry should not “play games about what ‘sensitive data’ means, such as defining medical data to mean only official medical records.” Rich also discussed the self-regulatory codes of the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA), noting that both define “sensitive” data differently. “The NAI code is stronger than DAA’s in this regard,” she noted. Recognizing that behavioral ads do have some benefits, Rich also discussed enhanced forms of online tracking and that consumers “who know about tracking and want to avoid it can’t do so effectively.” [MediaPost]

WW – Mozilla Tightens Referrers for Improved Privacy

Mozilla is tweaking its referrer header to help websites protect their users’ privacy, according to a Mozilla blog post. Principal Security and Privacy Engineer Sid Stamm writes, “as the web got more complex, the amount of information in the referrer header ballooned, leading to bigger privacy problems.” Stamm notes that “HTTP Referrer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired) … What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy-invasive.” [Full Story]

Other Jurisdictions

WW – Introducing: The DPAs Alumni Network

Former UK Information Commissioner Richard Thomas, now global strategy advisor to the Centre for Information Policy Leadership, has announced the creation of a new Alumni Network for former privacy and data protection commissioners around the globe. A relatively informal network, the group has already collected more than 30 former commissioners and is looking to spread the word and expand. [The Privacy Advisor]

CN – New Rules in China Upset Western Tech Companies

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software. …The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets. [NYTimes]

EU – Spanish Court Rules on RTBF; Google’s Position “Doesn’t Make Sense”

A Spanish court has ruled Google must remove links from a search on a man’s name. The ruling comes eight months after an EU court confirmed the right to be forgotten. The Spanish court ruling means Google must cut the link to a notice on social security debtors in La Vanguardia newspaper because the information about the man is now outdated. Freedom of information rights aren’t being infringed upon, however, because the original content is still available in the newspaper’s online archive, the court said. Meanwhile, EPIC’s Marc Rotenberg said Google’s general position, that it doesn’t want to apply the right to be forgotten outside of Europe, “does not make sense.” [Bloomberg]

WW –Will Google Apply RTBF Beyond the EU?

Contrary to regulators’ guidelines, Google is only removing search results from European websites when individuals invoke their “right to be forgotten.” But the company says it will review that approach soon. By month’s end, Google’s advisory council, which has held public meetings across Europe for the last four months, is expected to report its conclusions on a review of whether Google’s data removals should apply only to its European websites or globally. “We’ll take the report, along with the Article 29 input and other input, and arrive at an approach,” said Google Chief Legal Officer David Drummond. “It’s our strong view that there needs to be some way of limiting the concept, because it is a European concept.” [Reuters]

MX – IFAI Could Impose Sanctions on Google in RTBF Case

Mexico’s Federal Institute for Information Access and Data Protection (IFAI) has started proceedings that could impose sanctions on Google for an alleged breach of the nation’s data protection law. The IFAI initiated the proceedings after Google Mexico did not agree to a take-down request from a Mexican citizen wishing to have personal data removed from the search engine. According to the report, Mexican law could fine an organization in breach of national data protection law up to $1.53 million. [Reuters] See also: Brazil held its first open consultation to debate and shape the Marco Civil, reports BNamericas.

Privacy (US)

US – Justice Department Drops Court Battle; Hands Document to Privacy Group

The Justice Department has agreed to turn over a legal opinion on surveillance and census data following a yearlong court battle with the Electronic Frontier Foundation (EFF). The department dropped its appeal of a federal judge’s decision requiring it to provide the opinion to the EFF. The group sued to obtain documents on government surveillance, including a document that analyzed law enforcement access to census data, under the USA PATRIOT Act. A Justice Department spokeswoman said the department will turn over the document to the EFF. [Associated Press]

US – White House Proposes National Data Breach Notification Standard

The FTC would enforce the law, with violations constituting an unfair or deceptive practice, and the FTC would be given broad rule making authority to issue whatever regulations it seems necessary to carry out its duties with respect to the law. The proposed legislation would require that the FTC coordinate with other agencies in the issuance of regulations when such regulations would affect entities subject to regulation by the FCC or the Consumer Financial Protection Bureau. State Attorneys General would also have the authority to enforce the law, subject to certain FTC rights to intervene, stay, or remove the proceeding. The proposed law does not create, or make any mention of, a private right of action. [Source]

US – Data-Privacy Advocates Welcome Obama’s Support, With Caveats

“Right now the companies are following the strongest state laws,” said Pam Dixon of the World Privacy Forum. She said a draft of the proposal posted on the White House website “doesn’t come close to the strongest state law, so the best thing would be to leave state protections in place.” Mark M. Jaycox of the Electronic Frontier Foundation warned that the White House language would strip states’ attorneys general of the power to respond aggressively to data breaches. He also voiced concern that the bill would allow companies to avoid notifying customers simply by reporting breaches to the FTC. [Source]

US – Obama Calls for New Law to Meet ‘Evolving Threat of Cyberattacks’

A key stumbling block in the effort to rewrite laws remains the concern from some U.S. companies that sharing information with the government could expose them to shareholder lawsuits or a customer exodus, and they have also complained that certain government agencies aren’t being forthcoming enough with certain intelligence. [WSJ] [CNET: Will Obama Finally Change Cybersecurity In America?] [Gizmodo: Obama’s War on Hackers Is Turning Everyone into a Suspect] [AdAge: Where’s the Breach? Obama Leaves Out Domestic Data Issues]

US – Obama Abandons Telephone Data Spying Reform Proposal: U.S. Officials

Under the proposal floated by a Presidential review panel, telephone call “metadata” generated inside the United States, which NSA began collecting in bulk after the Sept. 11, 2001 attacks, could instead be collected and retained by an unspecified private third party. The Obama administration has decided, however, that the option of having a private third party collect and retain the telephone metadata is unworkable for both legal and practical reasons. “I think that’s accurate for right now,” a senior U.S. security official said. [The National Law Review] [HLDA: The 2015 State of the Union Addresses Cybersecurity, Data Security, and Privacy]

US – Obama Supports Cybersecurity and Privacy; Experts Warn of Unintended Impacts

The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies’ weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they’re not necessarily the more urgent ones. Security experts disagree on how—or whether—these goals can even be achieved. [PC World]

US – 5 Things to Know About Obama’s New Cybersecurity Proposals

Christopher Soghoian, the principal technologist at the American Civil Liberties Union, said “nothing” the president is proposing “would do anything to actually improve cybersecurity.” The Electronic Frontier Foundation (EFF), a leading digital rights advocacy group, called the president’s cybersecurity proposals a “mishmash of old, outdated policy solutions,” and argued that the information-sharing proposals risk exposing Americans’ private information. It’s not just privacy advocates. Cybersecurity experts are also not big fans of Obama’s proposals. [Mashable]

US – White House Gets It Wrong, Credit Scores Poor Tool for Detecting ID Theft

The credit scores that are being given away are general use FICO and VantageScore risk scores. … They are not, and have never been, designed to be a fraud detection tool. …When someone applies for credit in your name, there are a variety of changes that can occur on your credit reports. The following is a list of those credit report changes, and any impact they would have on your credit scores. Remember, the White House would have you believe seeing your credit scores for free every month would somehow alert you that you’ve been the victim of identity theft. [Huffington Post]

US – PCLOB to White House: You’re Getting There…

In a nod to the one-year and six-month anniversaries of its reports on Section 215 and Section 702, respectively, the Privacy and Civil Liberties Oversight Board (PCLOB) released an assessment of how well the White House has implemented its recommendations for amending programs that collect telephone records in bulk and guide the Foreign Intelligence Surveillance Court. Most significantly, the PCLOB notes that the administration has not implemented its recommendation to halt the NSA’s telephone records program, “which it could do at any time without congressional involvement,” nor has the White House created a way to assess the value of this kind of record collection. “At some point, you have to draw the line and say you have to act on your own,” PCLOB Chairman David Medine told The Guardian, “because this program isn’t particularly effective.” [Full Story]

US – Cam Kerry on Consumer Bill of Rights: “Making Up for Lost Time”

Nearly three years after President Barack Obama first announced a “privacy blueprint” laying out the Consumer Privacy Bill of Rights, the wheels are now in motion. The initial blueprint provided a framework for what legislation should look like. “As the leader of the administration’s work on consumer privacy,” writes Cameron Kerry, “I worked over the following year with my staff in the Commerce Department’s Office of General Counsel and NTIA to put this roadmap into legislative language and pave the way for introduction of a bill.” [Privacy Perspectives]

US – FTC Releases IoT Report

The FTC released its report on the Internet of Things (IoT). The FTC recommends businesses take a number of steps to enhance and protect the privacy of consumers. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez writes. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.” Commissioner Joshua Wright provided a dissent here. [Full Story]

US – FTC CPO Resigns, Joins Firm as Senior Counsel

FTC Chief Privacy Officer (CPO) Peter Miller has resigned and joined law firm Crowell & Moring as senior counsel for its advertising and product risk management and privacy and cybersecurity groups. Miller has been with the FTC for 10 years, including as an attorney within the Division of Advertising Practices and assistant director for regional operations for the Bureau of Consumer Protection, the report states. He’s held his post as CPO since 2012 and used the post to publicly urge other federal agencies to be more proactive about building privacy protection into IT systems from the ground up. [FCW]

US – FTC Denies Second Proposed Verifiable Consent Method

The FTC has denied AgeCheq’s second proposed COPPA Rule verifiable parental consent method. AgeCheq had proposed a device-signed parental consent form using a multistep process involving the entry of a code sent via text. In its letter to AgeCheq, the FTC stated the company’s proposed method, specifically the type of data collected to verify a parent’s identity, was not compliant with COPPA. The FTC also noted the proposal “did not meet the rule’s requirements that it be reasonably calculated to ensure the person providing the consent is the child’s parent or guardian,” as the individual trying to obtain consent “could easily be the child using the very device on which an app seeking consent was downloaded.” [Full Story]

US – Uber to Implement Privacy Program Recommendations

Uber announced that it is strengthening its privacy programs as the result of an outside privacy assessment, laid out in a 40-page review. The ride-sharing start-up retained Hogan Lovells Partner Harriet Pearson and her team last November after a number of reports surfaced about the company’s controversial use of consumer data, leading some to apply the name “Ubergate.” [Source]

SK – Uber Faces Legal Trouble from Regulator

South Korean telecommunications regulator Korea Communication Commission (KCC) has reported ride-sharing service Uber to local prosecutors for potential violations of the country’s information protection laws. According to national legislation, businesses using geolocation data must report such activity to related authorities, and the KCC claims Uber did not do so. A company spokesman said it will comply with local laws as much as possible, the report states. [CNET]

US – CA Privacy Committee Could Be “Key Committee” to Watch

The newest and perhaps “hottest” committee in the coming state legislative session, the new Committee on Privacy and Consumer Protection “is the key committee to watch in the coming session.” Created earlier this month by California Assembly Speaker Toni Atkins (D-San Diego), the panel is designed to take on growing consumer privacy issues and the use of health, financial, educational and consumer habits of the millions of state residents. “California has a strong history of protecting consumer privacy while spurring an innovative economy,” Atkins said. Demand by Assembly members for inclusion on the panel was high, she added. One pick was Assemblyman Mike Gatto (D-Los Angeles), who has initiated a wiki page allowing Internet users to help draft state privacy legislation. [Los Angeles Times]

US – Bipartisan GPS Bill Introduced

Sen. Jeff Flake (R-AZ) will lead the Senate Judiciary Subcommittee on Privacy, Technology and the Law, it was announced. Two new lawmakers, Sens. David Perdue (R-GA) and Thom Tillis (R-NC), will join the subcommittee also. Meanwhile, with their introduction of the Geolocation Privacy and Surveillance Act, lawmakers in both parties are pushing to require police to have a warrant before tracking people’s locations via their cell phones and other GPS devices. “Buying a smartphone shouldn’t be interpreted as giving the government a free pass to track your movements,” said Sen. Ron Wyden (D-OR), one of the bill’s authors. [The Hill]

US – Judge Dismisses Wiretap Act Claim,

A California federal judge dismissed claims in a multidistrict proposed class-action lawsuit that JTC Corp., Samsung Electronics Co. and other device makers violated the Wiretap Act by illegally collecting consumers’ data from their phones, “saying the plaintiffs didn’t sufficiently allege they intended to intercept communications.” [Law360]

US – N.Y. AG Seeks to Toughen Data Safeguards: Plan Would Require Businesses to Fortify Privacy Measures

The legislative proposal would provide a safe harbor to businesses that comply with the new requirements, meaning that a good-faith effort could shield them from liability actions resulting from a breach. To receive liability protection, businesses must be certified by an approved third-party auditor. [Data Breach Today]

US — Insurance Company Brings Breach Claim, Whole Foods Denies Fault

Travelers Casualty and Surety Co. of America has sued an Illinois-based Web design company, saying its negligence in designing and maintaining a community bank’s website contributed to a data breach, and Whole Foods Market Group Inc. told a Florida federal court this week that a former employee’s claim it fails to comply with federal privacy law when it screens prospective employees through credit checks is “blatantly false.”

US – Congress to Hold Breach Notification Hearing

The new Congress will hold its first hearing on data breach notification legislation next Tuesday. Rep. Michael Burgess (R-TX) said, “We need a plan in place that will help prevent data from being stolen in the first place and will also alleviate consequences if hackers are successful.” [The Hill]

US – Sony Hack Details to Come

Sony is expected to share details of its highly publicized hack with the House Oversight and Government Reform Committee. “We’ve talked to Sony, and they have agreed to get us the information,” said Rep. Elijah Cummings (D-MD). “They just need a little bit more time.”

WW – Bughunter Cracks “Absolute Privacy” Blackphone – by Sending It A Text Message

The details provided by Dowd amount to full disclosure, although he hasn’t included a proof-of-concept that would allow you to start exploiting the hole at will. He made the disclosure only after Blackphone had published a patch. Indeed, he publicly praised Blackphone on Twitter for the way it dealt with his bug report. [Naked Security] [Techcrunch: In Communications, Privacy And Security Are Illusions]

US – LabMD: Tiversa Misled FTC

In a new court filing, LabMD argues that Tiversa hacked into its computer systems and used data gleaned from the hack to mislead the FTC into believing sensitive data on 10,000 patients was unprotected. When LabMD refused to use Tiversa’s services, the filing claims, Tiversa went to the FTC with a data breach complaint. LabMD alleges the move was part of a conspiracy to “decimate” the now-defunct medical company. [Law360]

US – Google, Viacom Tracking Suit Dismissed

Google and Viacom Inc. won the dismissal of a lawsuit alleging the two companies illegally tracked the Internet activity of children under the age of 13 who visited Nickelodeon’s website to send targeted advertising, Fortune reports. The suit accused both companies of dropping cookies onto children’s computers that gathered information advertisers could use. But U.S. District Court Judge Stanley Chesler found “no showing that Google and Viacom could identify which children streamed specific videos or played specific video games, as opposed to identifying children generally,” the report states. He also said he found no showing the companies engaged in “highly offensive” behavior for which they could be held liable. [Reuters]

WW – Google, Khan Academy, 13 More Sign Pledge

Following President Barack Obama’s comments urging companies to sign the Future of Privacy Forum (FPF) Student Privacy Pledge, 15 more companies have signed on, including Google and the popular YouTube-based Khan Academy. The latest wave of companies joins the 75 that signed on last week, the report states, noting the pledge includes a “promise not to sell student information or to use behaviorally targeted advertising on education products. It also promises to make it easy for parents to see their students’ data and to be transparent about how those data are collected and used.” The FPF’s Jules Polonetsky noted, “There’s been an explosion of technology in schools, and with that has come a privacy backlash.” [The Washington Post]

US – Judge Caps Breach Liability Payment

A federal judge has placed a cap on the liability Schnuck Markets is responsible to pay its payment-processing vendors in the wake of a data breach. Judge John Ross ruled that First Data Merchant Services and Citicorp Payment Services could only withhold up to $500,000 in funds. It is not yet known how much was originally withheld from Schnucks. The company recently agreed to pay customers for fraudulent charges stemming from a breach that exposed 2.4 million payment cards. [St. Louis Business Journal]

US – Apple Says Privacy Fraud Claims Vague

Apple wants a federal judge to dismiss a consolidated class-action lawsuit alleging applications available in Apple’s App Store breached users’ privacy by taking users’ contact data, Law360 reports.

US – Journalist Sentenced to Five Years in Prison for Linking Hacked Data

U.S. journalist Barrett Brown has been sentenced for linking to hacked information from global intelligence company Statfor. Brown, who allegedly has a “loose affiliation” with hacktivist collective Anonymous, received five years in prison and must pay $890,000 in restitution. “The government exposed me to decades of prison time for copying and pasting a link to a publicly available file that other journalists were also linking to without being prosecuted,” he wrote, adding, “The U.S. government decided today that because I did such a good job investigating the cyber-industrial complex, they’re now going to send me to investigate the prison-industrial complex.” Jeremy Hammond, the hacker responsible for the breach is serving a 10-year sentence. [Time]

US – School Rule-Breakers to Hand Over Facebook and Twitter Passwords

The fact that passwords are to be demanded in the case of any rule-breaking sounds too strong. That’s the conclusion reached by Kade Crockford, director of Massachusetts’ ACLU. She dubbed Illinois’s move “government overreach” and said that either the law or schools’ implementation of that law may well be unconstitutional. [NakedSecurity]

US – Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers

The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation (Wyndham) provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits. [HLDA]

US – Arsenic Case Pits Privacy Rights Versus Historical Research

Supreme Court ponders privacy rights as they pertain to medical documents FOIC’s Harmon replied, public figure status is sometimes conferred on individuals by the swirl of events and circumstances. While a criminal or politician may have taken affirmative, voluntary steps that waive their expectation of private citizen treatment, someone who, for example, is released from prison after a wrongful conviction also falls into the same legal territory whether they want to or not. There is a societal benefit to these types of people losing their privacy protection, said Harmon, in that members of the public “get to know about their heroes, leaders, villains and victims.” [Source]

Privacy Enhancing Technologies (PETs)

WW – Tor : Crowd Source Security and Anonymity Concerns

Many “bad actors,” from criminals to nation states, run Tor nodes for the purposes of tracking or otherwise harming users. For a fairly modest investment, attackers can acquire and operate enough relays to make the probability that they will control the first and last hoops in a chain fairly good, at least over a period of time. Just 5% of relays transport 50% of the traffic. If an attacker runs both, they can fairly easily identify users with their activities. [Source]

US – Harvard Aims to Reengineer Privacy

Harvard’s School of Engineering and Applied Sciences reports on a symposium it held earlier this week on “Privacy in a Networked World.” Panelists included Pew Internet Research’s Lee Rainie and former FTC Chief Technologist Latanya Sweeney, and the event featured a video interview of Edward Snowden by Bruce Schneier. [Full Story]

US – App Developers Alliance Launches Developer Competition

Anticipating the burgeoning Internet of Things (IoT) landscape, the App Developers Alliance (ADA) has announced IoT(Accelerate)Berlin. The contest is designed for developers and pre-launch startups and is organized in partnership with Google and Ericsson. ADA Executive Director Jake Ward said, “IoT is experiencing substantial growth, and the opportunity for European developers and startups to help shape its future is clear. From connected cars and homes to health, wearables or big data solutions, the competition will help developers conceptualize and produce innovative products for this growing market.” The competition is focused around a three-day period, March 27-29, in Berlin, Germany. [Full Story]

WW – Users Get More Control Over Data in Latest Firefox Beta

To help users keep control of such data, Mozilla has been working on changes to Firefox’s Gecko rendering engine to make it easier for users or browser extensions to control referrer data. And it has created a feature called “meta referrer” in the Firefox 36 beta that allows webmasters to include a tag in HTML documents specifying a referrer policy and what data can be sent. [CIO]

WW – How to Remain (Mostly) Invisible Online

While complete anonymity these days is nearly impossible, experts have some tips, and tools, they recommend for maintaining privacy and keeping your digital footprint as minimal as possible. Internet users can better protect their privacy online “by thinking of their private information as gold; do not give it away,” Frank Ahearn says. “Place a personal value on private information and recognize that sites want to profit [from] the information they extract. The best way to combat that is to supply untrue information. Deception has a positive purpose in the digital world,” and in fact is the best ally a user has to truly protect his online information. [Source]

US – Start-Up Looks to Capitalize on Differential Privacy

In some corners of the privacy world, de-identification has become something akin to the privacy community’s white whale: always just out of reach. Thus, into the breach steps the start-up Leap Year Innovations, a firm based in Philadelphia that is currently pitching “differential privacy” as a service, and soon hopes to offer it as a software package. What’s behind this alternative to De-ID and how does it work? [The Privacy Advisor]


US – Lawmakers Reintroduce Bipartisan Data-Security Bill

Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) have reintroduced a bill that would require companies to meet data security standards when processing users’ personal information. The bill would prompt the FTC to set a nationwide data-security standard for companies handling personal data. Companies that suffer breaches would have to notify customers and the FTC. “They also could face civil penalties of up to $5 million if they hadn’t adhered to the commission’s security standards,” the report states. Rush and Barton will hold a public briefing on the bill on February 6. The House Energy and Commerce Subcommittee held a hearing on data breach notification this week. [The Hill]

US – Obama Takes on Google With Law to Protect Privacy of U.S. Kids

Obama’s proposed Student Digital Privacy Act, details of which haven’t been released, would make explicit the responsibility of vendors to safeguard data. The pledge, though voluntary, could expose signatories that break it to enforcement actions by the FTC or state attorneys general. [Bloomberg]

US – How Much Security Is Enough? Check the FTC Casebook

One of the most important issues on the FTC docket is the determination of whether a given data security practice is reasonable or not. Which is fine. But how will you know what the FTC deemed unreasonable in dozens of enforcement actions? Sure, you can go to the FTC website to seek, download and plough through all of the more than 180 FTC privacy and data security cases. But, as of last week, there’s a far better way: The IAPP Westin Research Center has launched its FTC Casebook, which is available at no additional charge to IAPP members. The Casebook makes the task of determining what the FTC regards as reasonable data security seamless, even fun! A digital resource, the FTC Casebook contains all of the FTC enforcement actions in the field, tagged, indexed, full-text searchable and annotated. But don’t take our word for it-let us walk you through just how it works. [Full Story]

US – Over 90% of Data Breaches in First Half of 2014 Were Preventable

The Online Trust Alliance says that a high percentage of data breaches were the result of staff mistakes — rather than external hacking. After analyzing over a thousand breaches involving PII, the non-profit has put together 12 ‘critical’ security practices in another guide that companies should follow in order to lessen the risk of a cyberattack — as well as minimize potential damage in a threat landscape which is becoming more dangerous by the year. [ZD Net] See also: 2015 Data Protection & Breach Readiness Guide

US, UK Establish a Joint Hacker A-Team to Conduct Cyber War Games

It’s been quite a week for British Prime Minister David Cameron. In addition to announcing the formation of the cyber cell, he had a meeting with Obama where he asked him to block companies like Apple, Facebook and Google from rolling out encryption services to users, which would allow users to communicate with one another more securely but which the British government claims could hurt intelligence collection. [Defense 1]

Smart Cars

US – Will Big Brother Eventually Monitor Driving Habits? Car Data Proposal Sparks Privacy Fears

But now the California Air Resources Board is proposing regulations (for a May board hearing) requiring manufacturers to significantly expand the kind of information on-board computer software collects about our driving habits. The software could track miles per gallon, driving distances, how often one stops and starts the car, and how fast one drives. Newer cars already tell us most of this information on those nifty trip computers in the dashboard. The difference, of course, is the regulations would require our cars to also tell government officials the information. [Source]

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

Concerns over fine line taken by the automotive industry between functionality and privacy . “There’s plenty of people out there saying, ‘Give us all the data you’ve got and we can tell you what we can do with it’,” he said on the sidelines of the Detroit motor show, adding that this included “Silicon Valley” companies, as well as advertising groups. “And we’re saying, ‘No thank you’.” … most drivers would be surprised by the scale and granularity of the data collected by modern vehicles. In a sinister illustration of the potential data that could be sacrificed by carmakers, Mr Robertson said BMW knew whether a child was in the car, based on weight sensors in the seats that linked up with the airbag system. [Irish Times]

US – “Cheaper Car Insurance” Dongle Could Lead to a Privacy Wreck

In short, you’d certainly hope that the Snapshot hardware designers and programmers took data security seriously during development. Otherwise, the very dongle that was supposed to help you learn to be a safer driver might leave you more exposed from a privacy and online security perspective … even if you conducted yourself impeccably behind the wheel, merely being out driving could harm the rest of your digital life. [Source]

US – California Mulling More Government Access to Cars’ On-Board Computers

Will Big Brother monitor our driving habits? But what if the traffic cop were a computer that always is transmitting data about our driving habits to a government agency? That question increasingly is being asked given technological advancements and a new proposal by the state’s air-quality control agency to expand the information your car’s computer would be required to collect and potentially transmit to officials. … the California Air Resources Board is proposing regulations (for a May board hearing) requiring manufacturers to significantly expand the kind of information on-board computer software collects about our driving habits. [Source]

US – U.S. Spies on Millions of Cars

The database raises new questions about privacy and the scope of government surveillance. The existence of the program and its expansion were described in interviews with current and former government officials, and in documents obtained by the American Civil Liberties Union through a Freedom of Information Act request and reviewed by The Wall Street Journal. It is unclear if any court oversees or approves the intelligence-gathering. …”Any database that collects detailed location information about Americans not suspected of crimes raises very serious privacy questions,’’ said Jay Stanley, a senior policy analyst at the ACLU. “It’s unconscionable that technology with such far-reaching potential would be deployed in such secrecy. People might disagree about exactly how we should use such powerful surveillance technologies, but it should be democratically decided, it shouldn’t be done in secret.’’ [Wall Street Journal]

US – The DEA Is Spying on Millions of Cars All Over the U.S.

With sweeping power to monitor the movements of so many Americans, the federal agency will continue to lose the hopeless drug war. We’ve traded our freedom to drive around without being tracked for next to nothing. Those who would cede essential liberty for the promise of security may deserve neither, but ceding it for the promise of a drug-free America is just delusional. The federal government could imprison every recreational drug user in America and it still couldn’t win the drug war because, among other things, the federal government can’t even prevent heavy drug use within the federal prison system.

US – Federal Agency Weighed Spying on Cars at Gun Shows

2009 DEA Proposal to Record Cars at Gun Shows Was Never Carried Out, Justice Department Officials Say. The Justice Department has been building a real-time database to track vehicle movement around the U.S. and has raised worries over government surveillance. [WSJ]

US – Massive DEA License Plate Reader Program Tracks Millions of Americans

According to the DEA, the program targets roadways it believes are used to transport contraband. It’s not clear what criteria the agency uses to classify a road as such. With so much information redacted it’s hard to say we’ve got the full picture here, but it’s also easy to understand why this capability is useful for law enforcement. Furthermore, identifying cars and users based on their license plates is nothing new – it’s what they’re for: license plates are public, unique identifiers. And of course we have always had the ability to follow a person or a car by spotting the right number plate and watching where it goes. So in some ways this is nothing new. But in other ways it’s very new indeed. [Naked Security]


CA – Secret ‘BADASS’ Intelligence Program Spied on Smartphones

CSE and GCHQ intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies …the smartphone data routinely provided to ad and analytics companies represents a major privacy threat. When combined together, the information fragments can be used to identify specific users, and when concentrated in the hands of a small number of companies, they have proven to be irresistibly convenient targets for those engaged in mass surveillance. Although the BADASS presentation appears to be roughly four years old, at least one player in the mobile advertising and analytics space, Google, acknowledges that its servers still routinely receive unencrypted uploads from Google code embedded in apps. [Source]

WW – Software Makes Spying Real Easy, and It May Be on Your Phone

Spyware is readily available to any insecure spouse, overzealous boss, overbearing parent or crazy stalker. It’s sold legally, and “if it’s already on your phone, there’s no way you can tell,” the report states. Spyware companies like mSpy and flexiSPY make money off the secret surveillance of millions of people’s devices, the report states. While spyware has been around for decades, “the current crop is especially invasive” because if someone is alone with a device for a few minutes or if they have their target’s iCloud credentials, they can upload sophisticated tracking software that will let them follow whatever’s happening on the target device. [Gizmodo]

WW – Apps Will Share Data With Google Now

In a bid to bolster its hold on the online search market, Google plans to allow a host of third-party apps—including Airbnb, eBay and Lyft-to share data with Google Now. Google Now is a predictive search app, available for Android phones and wearables as well as the Chrome web browser. If users have the updated Google app and the Airbnb app on their phones, for example, the search history from Airbnb will be shared with Now. Previously, Google acquired search data from a user’s Google account search history. According to the report, more than 30 third-party apps will share data with Google Now. [The Wall Street Journal]

WW – Cookies Are So Yesterday; Cross-Device Tracking Is In

The cookie is out, and cross-device tracking is in. After all, one recent study found users can switch from laptop to smartphone to tablet an average of 21 times in a single hour. But how do you sell cross-device tracking to your users while avoiding the privacy pitfalls the cookie faced during its ascension? Michael Whitener lists the things marketers can do to keep both companies and consumers safe while taking advantage of the insights such tracking can provide. [The Privacy Advisor]

WW – Using Video to Expose Corruption, Abuse

Videre uses tiny cameras and an “army” of individuals armed with them to expose corruption and abuse, “shaming governments into action,” Erin Burnett explains in this. Oren Yakobovich is head of the human rights organization Videre, which “uncovers, verifies and publicizes human-rights abuses that the world needs to witness.” Yakobovich is also featured in a TED Talk about his efforts to use surveillance on its head. “This can stop corruption,” Yakobovich says, but some question how the camera could be misused to violate privacy or solicit bribes. [CNN video report]

US – EFF’s Game Plan for Ending Global Mass Surveillance

For years, we’ve been working on a strategy to end mass surveillance of digital communications of innocent people worldwide. Today we’re laying out the plan, so you can understand how all the pieces fit together—that is, how U.S. advocacy and policy efforts connect to the international fight and vice versa. Decide for yourself where you can get involved to make the biggest difference. This plan isn’t for the next two weeks or three months. It’s a multi-year battle that may need to be revised many times as we better understand the tools and authorities of entities engaged in mass surveillance and as more disclosures by whistleblowers help shine light on surveillance abuses. [EFF]

US – Law Enforcement Radar Can See Through Walls

As many as 50 law enforcement agencies across the country have deployed radar technology capable of seeing inside homes to determine if someone is present, all with little or no public disclosure or court oversight. The technology uses radio waves to detect movement—such as breathing—to determine if someone is home. The use of the radar raises legal and privacy concerns, particularly since the U.S. Supreme Court has said law enforcement needs to obtain a warrant prior to using high-tech sensors on an individual’s home. The ACLU’s Christopher Soghoian said, “Technologies that allow the police to look inside of a home are among the intrusive tools that police have.” [USA Today]

US – Prenuptial Snooping Is Booming, Say Private Investigators

Private detectives say there has been a dramatic increase of prenuptial investigations. “It’s worth it to them to spend a little in advance to figure out whether they’re hooked up with a loser or a longtime candidate,” said AAA Detective Agency Owner Jerry Bussard. The trend stems from the increased use of online dating and embellished online profiles. “The Internet, they say, is like a gateway drug to professional snooping,” the report states. “In a manner of speaking, it’s the new prenuptial,” said another private investigator, adding, the main difference is the “party being investigated doesn’t have to sign off or agree to be under surveillance.” [The Wall Street Journal]

EU – Danish Surveillance Push Meets Opposition from Network Providers

According to the draft the Danish Defence Intelligence Service’s cyber defense unit will also be given authority to delay transactions to review security aspects. The industry says this will amount to de facto powers to block mergers and other deals. The Justice Ministry’s plan to demand that network operators resume keeping logs on traffic, also revives measures that were banned by a European court last year. [Bloomberg]

UK – British Spies Seized Emails to Reporters

There is no explanation of why the vast collection of messages was sucked into the global system of electronic surveillance created and maintained by British and American spies. But code words within the document suggest that it may be a glimpse of the colossal amount of information gathered each day before being “minimized,” or stripped of irrelevant material. …Why email messages traveling to reporters with news organizations were captured is also left unexplained in the document. Some of the captured messages contain email addresses associated with The Washington Post, Reuters, Le Monde and The Baltimore Sun. Messages to at least four New York Times reporters were intercepted. [NY Times]

EU – France Vows Forceful Measures Against Terrorism

Prime Minister Manuel Valls announced “exceptional measures,” including plans to spend an additional 425 million euros, or more than $490 million, to create over 2,500 new jobs to buttress the fight against terrorism and monitor nearly 3,000 people the police consider surveillance targets. A bill aimed at updating the legal framework for intelligence and surveillance operations will be introduced in Parliament in March, he said. [NY Times]

AU – Australia’s Privacy Commissioner Tim Pilgrim Fears Telco Metadata Breaches

Timothy Pilgrim says Australians should be warned if their their privacy is breached as a result of leaked metadata. The legislation, dubbed the Data Retention Bill, requires Australian phone and internet providers to store various customer metadata for up to two years for law-enforcement agencies’ access. No warrant is required to access the data, only a requesting agency senior officer’s sign off. Exactly what metadata the government wants providers to store remains unclear, as the final “data set” will be in the bill’s regulations, which have not yet been released and can be changed by the Attorney-General of the day without Parliament’s approval. Instead, a “proposed data set“ document that doesn’t specify exactly what data should be retained, has been circulated. [Source]

UK – Ex-UK Spy Chief Says Accord Needed With Tech Firms to Stop Terrorism

Prime Minister David Cameron has promised laws giving greater access to online communication if he wins the May general election, but some of his rivals oppose the scale of his proposals. Sawers backed Cameron’s stance, saying that while he understood the value of online communication services like Facebook’s WhatsApp and Apple’s FaceTime, and used them himself, they could not be beyond the reach of monitoring agencies.

UK – Privacy Activists Irate As British Lords Try to Sneak Surveillance Bill Into Anti-Terror Laws

According to Mike Harris, from the Don’t Spy On Us campaign group, the Lords have actually made the original bill tougher, by not mentioning many useful safeguards. As it stands, the proposed amendments would allow the home secretary, Theresa May, to force internet service providers to hold onto communications data for 12 months. That information would be accessible to any “relevant public authorities”, which could even allow local councils to grab data on citizens. The only barrier the secretary of state has to overcome is in consulting Ofcom, the communications regulator. [Forbes]

UK – UK Declares War on Privacy Under the Facade of “National Security”

Great Britain just isn’t that great anymore. An astounding erosion of my home country’s fundamental civil liberties and freedoms has made it difficult to envision one day returning home.

Put simply: at the next election, the U.K. population will vote on whether or not it gives the U.K. government the mandate to spy and snoop unrelentingly under the unproved and illogical assumption it will prevent future terror attacks. [ZDNet] [Europe Pivots Between Safety And Privacy Online]

AU – ‘Invasive’ Data Retention Bill Should Be Scrapped

“[Mandatory data retention] is characteristic of a police state,” the LIV wrote, quoting the Office of the Victorian Privacy Commissioner. “It is premised on the assumption that all citizens should be monitored. Not only does this completely remove the presumption of innocence, … it goes against one of the essential dimensions of human rights and privacy law: freedom from surveillance and arbitrary intrusions into a person’s life.” [Lawyers Weekly]

AU – Everyone Has Something to Hide If Universal Data Retention Becomes Law in Australia

Metadata can provide an alarming amount of information about an innocent individual’s activities, friends and beliefs. It’s simply not necessary. What would a telephone call or Google search placed in front of a brothel, gay bar or abortion clinic reveal? Imagine the caller were not me – with my classical liberal views – but a conservative Christian politician. What mischief could be had at his or her expense? [The Guardian]

AU – Privacy Commissioner Hits Out at ‘Ill-Defined’ Data Retention Plans

The Victorian Commissioner for Privacy and Data Protection said the government’s data retention proposal was ill-defined and insecure in a submission to the parliamentary inquiry investigating the scheme. This vast reservoir of highly sensitive, distributed data will not be adequately secured because the scheme does not properly address the security issues associated with the transmission and storage of the retained data …It is so vague and opaque as to make it impossible to clearly determine the risks it poses or to suggest appropriate mitigation measures. [AFR]

US – With Snowden in the Background, Privacy Takes a Back Seat to Security

In a rare streak of bipartisanship, there is virtually no distance between Republicans and Democrats on this issue. Roughly seven in 10 Democrats and Republicans alike prioritize the investigation of threats over personal privacy (71 and 68%, respectively). Even liberal Democrats, by 62-34%, side with investigation over privacy. Political independents drop to 56% preferring investigation. [Washington Post] [Goodbye Privacy: White House Sides with UK, Wants Backdoor to Encrypted Data]

TH – Cyber Bill Powers to Be Scaled Back: Government Yields to Public Pressure

The Cybersecurity Bill was among eight digital economy-related bills which earned cabinet backing early this month, on top of two others which received preliminary approval last month. But is has since been subject to complaints from experts and privacy activists who have urged a revision to prevent abuse of power by the state… Thailand is ranked third in globally for cybersecurity risk, with hackers frequently using the country as a base for major attacks, including the recent high-profile cyberhack against US-based Sony Pictures Entertainment. [Bangkok Post]

US – Marco Rubio Wants to Permanently Extend NSA Mass Surveillance

Rubio for years has positioned himself as a vocal defense hawk in Congress, and he has repeatedly defended the NSA’s spy programs revealed to the public by former agency contractor Edward Snowden. But Rubio’s call to permanently extend the legal framework that allows the NSA to collect the bulk U.S. phone metadata—language that Congress has tweaked and in many cases made more permissive since 9/11—is particularly forceful. It comes in the wake of terrorist attacks by Islamic extremists in France at a satirical newspaper and a kosher deli that left 17 dead—violence that has prompted European officials to publicly consider whether more forceful surveillance laws are needed. It also underscores the divisions among Rubio and his fellow Republican senators expected to jockey for the White House—namely, Sens. Ted Cruz of Texas and Rand Paul of Kentucky. [GovExec]

Telecom / TV

US – Group Urges FCC to Impose Privacy Rules on Broadband Providers

Consumer advocacy group Consumer Watchdog is urging the Federal Communications Commission (FCC) to place new privacy regulations on broadband providers. In a letter to the FCC , Consumer Watchdog wrote, “If consumers believe that their broadband provider substantially threatens their privacy, they are less likely to use the Internet.” The FCC should reclassify broadband service as a utility, Consumer Watchdog argues, and follow the same privacy rules set up for telephone providers. “This vital protection should exist related to private information secured from digital networks,” Consumer Watchdog wrote, adding, “The FCC must adopt regulations to ensure that the integrity and privacy of data gathered on the broadband networks we use are maintained.” [MediaPost]

US – Court Filing: Law Enforcement Kept Call Database Without Court Approval

Until last year, U.S. law enforcement maintained a database of international phone calls obtained from telecommunications companies under subpoenas that don’t require court approval. The U.S. Drug Enforcement Administration said in a court filing last week that the database tracked phone numbers and the time and duration of the calls and allowed investigators to query a number if they had a “reasonable articulable suspicion” that it was linked to a federal criminal investigation. The database was discussed during a federal court case involving a person suspected of illegally transporting U.S. goods and technology to Iran, the report states. [Bloomberg ]

US – Apple iPhone with Secret iFeature Allows Government to Spy on You

It is not clear if the “special software” being referred to in the interview is made up of standard diagnostic tools, or if the NSA whistleblower thinks intelligence agencies from the United States have found a way to compromise the mobile operating system developed by Apple. [TechTimes]

US Government Programs

US – U.S. Drug Enforcement Agency Halts Huge Secret Data Program

The program, run by DEA’s Special Operations Division, collected international U.S. phone records to create a database primarily used for domestic criminal cases – not national security investigations, according to records and sources involved. Two people briefed on the DEA program said that it began in the late 1990s. Records show it involved the use of administrative subpoenas, which can be issued by federal agents – rather than grand jury subpoenas, which must be approved by prosecutors, or search warrants, which must be approved by a federal judge. [Reuters]

US – The Many Problems with the DEA’s Bulk Phone Records Collection Program

The government’s claimed authority for this bulk collection was 21 U.S.C. § 876, which empowers the Attorney General to issue administrative subpoenas—not approved ahead of time by a grand jury or judge—which compel the production of records that are relevant and material to an investigation relating to drug crimes. But bulk collection of all call records based solely on the country a person called could never satisfy the statute, because most of the records are irrelevant to an active investigation. To be sure, the government may only have queried the database for records relevant to an active investigation, but the government was using § 876 to collect all records in anticipation of some future investigation. In other words, unless every person in the US who has ever made a phone call to someone in Iran or some other country contained in the database is considered a criminal suspect, the vast majority of records are irrelevant to any investigation. [EFF]

US – U.S. Discloses New Trove of Phone Call Records

The D.E.A. program was one of several troves of information on Americans’ phone records revealed in recent years. The most extensive and controversial one is kept by the NSA and contains records on every American phone call. Counterterrorism officials use it when conducting investigations, but civil liberties advocates have continued to raise questions about the programs. [NY Times]

US – New Report: DHS Is a Mess of Cybersecurity Incompetence

A large, embarrassing, and alarming Federal oversight report [by Senator Tom Coburn] finds major problems and grave shortcomings with Department of Homeland Security cybersecurity programs and practices which are “unlikely to protect us”. The report says (and echoes the sentiments of many civilian infosec professionals) that the DHS approach on vuln mitigation is nothing but a losing strategy. “The nature of cybersecurity threats — and the ability of adversaries to continuously develop new tools to defeat network defenses — means that DHS’s strategy for cybersecurity, which focuses primarily on vulnerability mitigation, will not protect the nation from the most sophisticated attacks and cybersecurity threats.”[ZDNet] [Slate: Step Aside, States?]

US – NSA Creating Privacy Internship Program

One of the central thrusts of the research is to determine if certain data presents more or less risk to privacy and civil liberties, and if the same can be done in terms of how the data is being used. [FedScoop]

US – Privacy Advocates Say NSA Reform Doesn’t Require ‘Technological Magic’

Just because a new federal report found no software solution to recreate the full scale of current National Security Agency surveillance does not mean that’s the right policy, privacy pros say. At a press conference with British Prime Minister David Cameron, President Obama said the US needs to preserve its capability to track electronic communications of terrorist suspects, but is working with companies to ensure the government meets “legitimate privacy concerns.” Obama has already proposed some surveillance reforms, including nixing the government’s storage of the phone records and forcing the NSA to gather them from company databases instead. “We just have to work through, in many cases what are technical issues,” Obama said. [CS Monitor]

US – As Terror Threats Rise, Privacy Is Now More Important Than Ever

Snowden’s revelations tipped the needle in favor of greater privacy and security, but recent attacks have thrown much of that effort under the bus. Does now really seem like the best time to compromise on security by calling for encryption to be outlawed, in the process stripping Internet users of their privacy, and opening them up to hacks, attacks, and identity theft? U.K. prime minister David Cameron thinks so, and he’s counting on Obama’s support for implementing backdoors in the tech companies. [ZDNet]

US Legislation

US – Tech Companies and Advocates Join Forces to Push ECPA Reform

Companies including Amazon, eBay and Facebook have joined the Electronic Frontier Foundation and dozens of other groups in sending letters to Congress demanding lawmakers finalize a bill that would require officials to get a warrant before searching people’s old emails or other items stored in the cloud. “Because of all its benefits, there is an extraordinary consensus around … reform—one unmatched by any other technology and privacy issue,” the groups wrote to leaders of the House and Senate Judiciary Committees, adding that passing a bill “sends a powerful message—Congress can act swiftly on crucial, widely supported, bipartisan legislation.” [The Hill]

US – Obama Proposal to Consider Impact of New Technologies

President Barack Obama has proposed federal legislation to safeguard student privacy in the face of new technologies that collect sensitive personal information about students in order to help tailor learning plans. While the White House hasn’t publicized details of the proposed legislation, Obama indicated in his speech unveiling the plan that it would be modeled on a California law that passed last year. “This is a huge step forward,” said James Steyer, CEO of nonprofit child advocacy group Common Sense Media. However, another activist said he considers the California bill a “very weak proposal.” [The Washington Post]

US – Proposed Indiana Law Would Raise Bar for Security and Privacy Requirements

These requirements are a substantial change from most existing U.S. privacy laws, and designing and implementing the necessary procedures could be a challenge for many companies. …Failure to comply with the bill’s requirements would constitute a deceptive act under state consumer protection law. While only the attorney general may bring an enforcement action, if a court determines that the violation was “done knowingly,” penalties include a fine of $50 for each affected Indiana resident, with a minimum fine of at least $5,000 and maximum fine of $150,000 per deceptive act. [Source] The Indiana Office of the Attorney General has recommended the 2015 legislature pass a bill that would tighten state laws governing data collection.

US – Other US Privacy News


Workplace Privacy

US – Job Searching? Get Ready to Hand Over Some Intimate Details

Rob Walker describes efforts to find a job and the online component that seems to accompany every search. “In addition to asking for your address, gender, race, etc., the questions have been more specific … I’ve also seen forms asking whether the applicant has been found to have depression, anxiety or behavioral or medical ‘disabilities.’ Generally, you cannot submit the application without providing all the requested data.” Prof. John Sullivan of San Francisco State University says companies are moving away from such practices but mainly because they can find that information by searching what candidates, themselves, have already put online. [The New York Times]

US – How to Talk to Employees During a Breach

While many companies are working with security firms and encrypting data, “they may be neglecting an important piece of the puzzle.” The article lists ways to communicate with employees during a cyber attack. Companies should be proactive when communicating with employees, the report states, instructing them on how they can help minimize the impact of the breach; be open and honest about what they do and don’t know; communicate frequently, and encourage employees to voice their questions and concerns, the report states. [Fast Company]


01-15 January 2015

Big Data

US – Federal Study Says Mass Data Collection Irreplaceable

The National Academy of Sciences has released an in-depth report informed by communications and cybersecurity experts as well as former intelligence officials concluding that there is no effective alternative to bulk data collection for intelligence purposes. According to the study, “no software-based technique can fully replace the bulk collection of signals intelligence.” However, the report did conclude there are ways to “control the usage of collected data” including, notably, placing strong privacy protections on the collected data once it’s in the government’s hands. [The New York Times]

WW – Big Corps Want to Know How You Feel; Defense Contractors Are Happy to Help

It’s no secret that businesses track consumers online and study social media to learn more about their shopping habits. But the public backlash against Sony after its response to being hacked, criticism of Target’s handling of its 2013 cyberattack and other examples of corporate embarrassment have put a spotlight on another type of analysis — measuring public sentiment about a business. Now, contractors that traditionally performed this type of work for government intelligence agencies are offering their skills to large corporations. Corporations are increasingly looking for early warnings to manage potential disruptions. Not everyone is excited by the prospect. The thought of government contractors offering intelligence-level expertise to corporations worries some privacy advocates. “This is the creation of a digital blacklist,” said Jeffrey Chester, who leads the Center for Digital Democracy. “A system designed for defense use should not be unleashed on the everyday goings-on of Americans.” [The Washington Post]

US – Why Uber Is Sharing Ride Data With the City of Boston

Uber said it will begin sharing trip data with the city of Boston with the goal of helping to reduce traffic congestion and assist urban planners. Under the first-of-its-kind deal, the car booking app said it will give city officials granular reports about every trip taken with Uber in the city. Riders’ personal information will not be included in the report, Uber said. What city officials will see, according to Uber, is an anonymized report showing the time, date and ZIP code of where a rider was picked up and where and when their trip with Uber ended. The data will also allow city planners to study the duration of the ride and come up with solutions to ease traffic congestion, including adding more public transportation options.[ABC News]

US – Pasquale on the Black Boxes of Data-Mining

Author Frank Pasquale discusses the lack of transparency and redress in big data profiling, both for students and employees. Though he applauds President Barack Obama’s privacy initiatives rolled out earlier this week, Pasquale writes, “it’s time for policy-makers to aim higher” because, through big data algorithms, individuals can easily be stigmatized without knowing they’ve been flagged as a high-risk student or employee. “Students should not be ranked and rated by mysterious computer formulas,” he writes, adding, “They should know when they’ve been marked for special treatment.” [Los Angeles Times]


CA – Watchdog to Study ‘Privacy Compliance’ Among Canadian Advertisers

The Office of the Privacy Commissioner of Canada is launching a research project to examine advertising on popular websites in Canada. The goal is to determine whether advertisers are complying with Canadian privacy laws. As “big data” becomes more crucial to advertisers who hope to reach consumers with messages that might be relevant to their needs, the industry has also been working to ease concerns about privacy. Industry groups representing Canadian advertisers and their agencies launched a self-regulatory group, the Digital Advertising Alliance of Canada (DAAC), in 2013. Despite the publication of the OPC’s guidelines, and the launch of the DAAC, “informal observations of major websites viewed by Canadians show that privacy compliance may still be an issue,” Privacy Commissioner Daniel Therrien wrote in a letter to the Interactive Advertising Bureau of Canada in mid-December, giving notice of the upcoming study. Similar letters were sent to the other industry groups including the DAAC. Results of the study will likely be published in the spring. [The Globe and Mail]

CA – New Sask. Privacy Commissioner to Continue Pushing for Police to Be Included in Legislation

For 10 years, former privacy commissioner Gary Dickson regularly recommended that municipal police be brought under the authority of Saskatchewan’s privacy legislation. His successor, Ronald Kruzeniski, intends to do the same. Aside from Prince Edward Island, which doesn’t have a Local Authority Freedom of Information and Protection of Privacy Act (LAFOIPP), Saskatchewan is the only province in Canada in which municipal police aren’t legislated under access and privacy laws. The RCMP, which operates in smaller centres in the province, is covered under federal privacy laws. This means anyone wishing to get access to municipal police information or file a privacy complaint through Kruzeniski’s office is unable to do so. Citizens wishing to file complaints with municipal police can currently do so through the Public Complaints Commission. Kruzeniski intends to officially make the recommendation at some point this year, and plans to meet with the Saskatchewan Association of Chiefs of Police. [Leader-Post] SEE ALSO: Ontario Acting Privacy Commissioner Brian Beamish “is calling for changes in legislation to make it harder for hospitals to handle privacy breaches internally without reporting them to the privacy office.” [Hospitals should report privacy breaches to commissioner: Editorial] [ON: Hundreds of hospital privacy violations go unreported

CA – RCMP Refusing to Pay Rogers’ New Cellphone Fees

The RCMP and many other police forces are refusing to pay new fees imposed by Rogers Communications for helping track suspects through their mobile phones. Police say the telecommunications firm is legally obligated to provide such court-ordered services and to cover the cost as part of its duty to society. Rogers says while it picks up the tab for most judicially approved requests, in some cases it will charge a minimal fee. The quietly simmering dispute underscores long-standing tensions over who should pay when police call on telephone and Internet providers to help investigate cases. Although they have concerns about the new Rogers fees, the Mounties did pay more than $2 million to telecom firms in 2012-13 in connection with customer information and intercept-related activities, the force says. [The Star]

CA – Debate Shaping Up About New Law to Fight Terror in Canada

Only 17 people have been convicted of terrorism and related offences in Canada since 2001. Five others await trial in three separate cases. In July, a sixth Canadian was charged with taking up arms in Syria and has not returned to Canada. Conservative Senator Dan Lang, chair of the Senate’s national security and defence committee, and other politicians are demanding to know why the numbers are so relatively low compared with the United States and Britain. This past week, while expressing solidarity with France over the shooting attack on the Paris office of satirical magazine Charlie Hebdo, Prime Minister Stephen Harper said a new anti-terrorism bill giving the state additional powers to watch, detain and arrest extremists will be tabled shortly after Parliament resumes in late January. [The Ottawa Citizen] SEE ALSO: Legislation will be tabled this month that “will provide national security agencies with explicit authority to obtain and share information that is now subject to privacy limits]

CA – Serious Offenders Among Dozens Mistakenly Released From Ontario Jails

Prisoners who were supposed to be locked up on charges of attempted murder, sexual assault, armed robbery and assault with a weapon were mistakenly released from Ontario jails during the last six years. In total, 98prisoners were freed prematurely between 2009 and 2013, mostly because of clerical errors. Four of these prisoners committed new offences while they should have been behind bars, the government acknowledged for the first time in December. [Toronto Star]

CA – Torontonian Uses Big Data and Privacy Expertise to Create Anonymous Index of Sexual Assault

Lauren Reid is a 30-year-old Toronto resident using her professional background in big data and privacy to push for a national, anonymous, user-controlled and self-reported database on sexual assault. It is an ambitious project, unprecedented in its scope, but it comes with its own set of complicated challenges and concerns.” The goal is to create a database that allows us insights into ‘Why didn’t you report it?’“ among other things, and also try to gauge how many people are sexually assaulted more than once, if people didn’t know it was rape at the time, if they were drinking or drugged and so on. Users would enter their stories and add or change information any time. The database would need to maintain clear definitions of sexual assault, she said, and it would be fully anonymous — no naming of names allowed. Even those who support the intention of such a database worry about privacy concerns, legal implications and false reports. “The purpose is to generate knowledge about a problem,” Ms. Reid said. “It isn’t to prosecute people.” [National Post]

CA – To Guard Government Computers from Hacking, Ottawa to Spend $100-Million on Security

Ottawa will spend as much as $100-million to safeguard Canadian government computers after a Chinese state-backed hacker broke into the National Research Council’s system last summer – and the 2015 budget is expected to help underwrite the bill for upgrading network security. There’s a request from inside government for extra money in the 2015 federal budget to fund long-term cyberprotection measures. This request is a sign of how seriously the increased threat of Chinese state hacking is being taken inside Ottawa. [The Globe and Mail] [CA – Canadian passports stolen at gunpoint in Caracas]

CA – Search Warrants’ Surge Denounced by Defence Lawyer

Search warrants have become much too easy for Toronto police to obtain, says a veteran defence lawyer who is calling on the courts to “bring some control to the situation that’s become like the Wild West.” New documents show the number of search warrants executed by Toronto police has almost tripled in a nine-year period. In roughly half the cases, nothing illegal was found and no charges laid. A 50% “failure rate” is a “huge problem,” lawyer David Bayliss said. [Toronto Star] [Interview: Privacy guru Ann Cavoukian] [ON: Hundreds Of Hospital Privacy Violations Go Unreported] and [Mondaq News: $7,500 in Damages Awarded for Intrusion Upon Seclusion] AND [Canadian Lawyer Magazine: Is Google Search Evidence Admissible?]

CA – Auto Lenders Quietly Install a Digital Repo-Man

A little-known black box buried in the guts of many GTA vehicles makes drivers with poor credit the hapless targets of what is becoming a 24-hour surveillance culture. Known as a starter interrupter, the GPS-equipped, wallet-sized box is popular with auto loan companies: If the owner stops making payments, the lender can send a signal to the box, disabling the vehicle by shutting off the starter. The GPS function also allows for tracking the customer’s movements. Thousands of starter interrupters have been on the roads in Canada for years, but in Ontario, little has been said about how they’re used and the information they allow lenders to collect. Consumer protection laws have curtailed their use in Quebec, and serious questions are being raised about their safety in the United States, following reports about moving cars being shut down remotely. [Toronto Star]


US – Art Indicates Teens Have Complex Understandings of Privacy Threats

Privacy Illustrated, a project Carnegie Mellon University (CMU) researchers unveiled last week. It includes art submitted by 175 people from kindergarteners to senior citizens, but some of the most complex images on threats to privacy came from teens. “Teens actually value privacy a lot, but their threat models are very different from adult threat models,” said Lorrie Faith Cranor, director of CMU’s Cylab Usable Privacy and Security Lab, who led the initiative. According to the teens’ drawings, they’re “acutely concerned about prying parents, siblings and schoolmates and worried about a spying government.” View the art here. [Pittsburg Post-Gazette] [The New York Times: ThinkUp Helps the Social Network User See the Online Self]

WW – Apple Spotlight Runs Roughshod Over Mail Privacy Settings

Apple’s Spotlight desktop search engine in OS X Yosemite ignores privacy settings in the Mail email client. The searches results could include pictures and other files linked to email messages, even if users have told Mail not to load remote content. HTTP requests sent to the pages hosting the content will reveal users’ IP addresses. Users can prevent this leak by unchecking “Mail & Mailboxes” in Spotlight System Preferences. [The Register] [ComputerWorld] [ArsTechnica]


WW – Beware Governments’ ‘Big Data’ Promises

The so-called ‘Big Data Revolution’ has governments enthralled. The BC government sees itself as a leader in bringing about ‘transformation’ with the use of data. The promises are that 1) the government is going to free itself up in its use of citizens’ personal data and this will bring convenience and make money, and 2) the government is going to free up government data and this will bring transparency and ‘digital engagement,’ and make money too. The data will be free and we will be wiser, happier and richer. At least, that’s what the glossy brochure says. You may not be too surprised to discover it’s not actually working out quite that way on the ground. In actual practice, part of this formula looks a lot like old ‘e-government’ initiatives that have been soundly criticized for costly failures and privacy fiascos. [British Columbia Civil Liberties Association]

Electronic Records

CA – City, Province to Work on Electronic Patient Reporting Across Manitoba

The way Winnipeg deals with electronic records for patients could eventually be used province-wide. This week, a city committee approved a motion for the province and city to work together to have the city’s electronic patient care system implemented across the province. Winnipeg Fire Paramedic Service Chief John Lane said Winnipeg was one of the first municipalities in Canada to use the electronic system. He said most other places use paper-based record keeping. The system uses Bluetooth to send the information from emergency crews to hospitals, and “provides absolutely seemless record keeping in terms of care,” Lane said. In 2013, the province reviewed its emergency medical services, and one of the recommendations was to find a common platform to be used across Manitoba to capture patients’ records electronically. The committee passed a motion that will allow the Winnipeg Fire Paramedic Service to start working with the province on a potential rollout of their system across the province. [CBC News]


UK – UK PM Wants to Ban Encrypted Communication

UK Prime Minister David Cameron has said that if he wins reelection, he will initiate legislation that would provide law enforcement with a means to access private, encrypted online communications. Under the plans put forth by Cameron, encrypted messaging services such as WhatsApp, iMessage, Skype and CryptoCat would not be legal. “The first duty of any government is to keep our country safe and our people safe,” he said. Privacy International’s Mike Rispoli said , “The UK simply cannot command foreign manufacturers and providers of services … to accommodate the desires of British spies.” In a blog post, Cory Doctorow wrote, “there’s no back door that only lets the good guys go through it.” [Computerworld] ameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be. [ZDNet] [CNET] [The Register] [Ars Technica] [Ars Technica] [David Cameron seeks cooperation of US president over encryption crackdown]

US – New York Prosecutor Calls for Law to Fight Apple Data Encryption

Apple Inc. and Google Inc. should be legally required to give police access to customer data necessary to investigate crimes, New York County’s top prosecutor said. Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Manhattan District Attorney Cyrus Vance said today in an interview at a cybersecurity conference in New York. Apple and Google’s mobile operating systems together accounted for more than 95% of smartphone shipments through the first three quarters of last year. [Bloomberg]

UK – PM Makes Apple CEO Tim Cook a Global Privacy Champ

“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Apple CEO, Tim Cook wrote last year. “We have also never allowed access to our servers. And we never will.” Now, it looks like Apple will need to fight to maintain customer privacy, as British Prime Minister David Cameron wants to ban services that encrypt messages so they cannot be intercepted by spies, criminals or anyone other than those in the conversation. This directly impacts Apple’s iMessage or FaceTime, which offer end-to-end encryption. []

EU – Paris Airport Security Made Security Expert Decrypt Laptop Hard Drive

When security expert Katie Moussouris was traveling through Paris’s Charles de Gaulle airport on her way back to the US after a conference, she was asked by security personnel there not only to power up her laptop, but also to enter her passwords to decrypt the machine’s hard drive. The laptop was not confiscated. [The Register]

EU Developments

EU – New Data Privacy Law Could Be Delayed Until 2016

Europe’s long-awaited new data protection law may be delayed until 2016, partly because of resistance by the UK Government. That’s the warning last week from MEP Jan Philipp Albrecht, vice chairman of the European Parliament committee overseeing the bill. The new General Data Protection Regulation(GDPR) is due to be finalised by the end of 2015 – but failure to agree the new rules is leaving European citizens exposed to snooping from foreign and European intelligence agencies and companies, Albrecht said. At a 7 January briefing in the European Parliament, he warned that delays to the law – which was first proposed in 2012 and has been hit by nearly 4,000 amendments – are “bad for democracy”. [SC Magazine]

UK – Theresa May: Data Law Could Have Helped Catch More Paedophiles

The home secretary, Theresa May, has told a child abuse summit that so-called snooper’s charter laws could have helped law enforcement officers catch more paedophiles online. May told representatives from more than 50 countries, 23 technology companies and nine non-governmental organisations that gaps remained in law enforcement and intelligence agencies’ capabilities to track down child abusers. Last month new powers were announced for police to force internet firms to hand over details that could help identify suspected terrorists and paedophiles. The counter-terrorism and security bill will oblige ISPs to retain information linking internet protocol addresses to individual users. [The Guardian] SEE also: [UK Prime Minister David Cameron has called for a ban on encrypted communications] [French data protection authority, the CNIL, published its standard defining accountability in practice, and companies demonstrating compliance will receive accountability seals from the data protection authority]. [the CNIL has issued new standards for call-monitoring and recording by employers] AND In The Netherlands next month, the District Court of the Hague will hear a legal challenge of the Dutch data retention law “filed by a broad coalition of organizations.”]

EU – Finland Gets Tough on Privacy

Finland is cracking down on social media and online messaging providers ahead of a big European Union review. On 1 January, the ‘Information Society Code’ passed into law. The Code is a major new umbrella act revising the country’s electronic communications legislation, which has four main goals: simplifying existing rules; improving consumer protection; boosting information security; and creating more equal telecoms markets. The greatest potential consequence of the Information Society Code comes from its increased regulatory powers over the information society. Most notable is the new requirement to ensure confidentiality of communications rules apply to all electronic communication distributors, including social media companies.[]

UK – Wellers’ Child Privacy Case: Peers Urged To Change Law

It follows a campaign by the wife of the rock star Paul Weller, who won a high court battle last year over unpixelated photos of their children published by a newspaper website. Hannah Weller’s cause is being supported by the Labour peer Angela Smith, who raised it in the Lords. The government said a balance had to be struck between privacy and free speech. Hannah Weller set up a campaign group to make it illegal to publish unpixelated pictures of children without parental consent. She insists there would be exceptions granted for pictures published in the public interest, those taken of a crowd or where there is implied consent, such as a red carpet event. The Labour peer and Shadow Home Office Minister, Angela Smith, is supporting the campaign, arguing that civil law could be changed to prevent specific abuses of privacy without threatening free speech. [BBC News]

EU – IRE: Concern Over Personal Info Database for Every Primary Student

Concern is being expressed about a new Primary Online Database being established by the Department of Education. Under the plan, all children’s PPS numbers along with details of their religion and ethnic backgrounds will be included on the database, which the Department said will be used to develop education policy into the future. Parents of all primary school children are being sent letters outlining how the new POD will work and what information will be stored, the letter states that the information will be kept until the child reaches the age of 30. The Department claims the database will eliminate the existing annual school census, facilitate transfers between schools, and keep track of students who do not go on to secondary school. []


US – Marriott to Stop Blocking Personal Wi-Fi Hotspots

Marriott International will no longer block personal wi-fi hotspots in its hotels. The US Federal Communications Commission (FCC) investigated the issue after a customer complained, and found that a hotel in Tennessee was using a monitoring system that de-authenticated guests’ hotspots. The FCC fined Marriott US $600,000. Marriott believed it was acting within its rights to block the hotspots and maintained that blocking customers’ wi-fi hotspots was a security measure. [BBC] [Silicon Republic] See also: [Manitoba: Hotel Wi-Fi exposes woman’s passport, credit card numbers]

US – Writers Say They Feel Censored by Surveillance

A survey of writers around the world by the PEN American Center has found that a significant majority said they were deeply concerned with government surveillance, with many reporting that they have avoided, or have considered avoiding, controversial topics in their work or in personal communications as a result. The findings show that writers consider freedom of expression to be under significant threat around the world in democratic and nondemocratic countries. Some 75% of respondents in countries classified as “free,” 84% in “partly free” countries, and 80% in countries that were “not free” said that they were “very” or “somewhat” worried about government surveillance in their countries. Smaller numbers said they avoided or considered avoiding writing or speaking on certain subjects, with 34% in countries classified as free, 44% in partly free countries and 61% in not free countries reporting self-censorship. Respondents in similar percentages reported curtailing social media activity, or said they were considering it, because of surveillance. []


US – SEC Considers CyberSecurity Disclosure Rules

The Securities and Exchange Commission (SEC) is “advancing measures” that would require publicly owned businesses to share more data about their cybersecurity vulnerabilities, including data breaches. The move would likely prompt businesses to tighten their security because the public would know how well companies are protecting data. “It’s a harbinger of what’s to come, and I think it will change the way companies think about and report on cyber,” said Squire Patton Boggs’ Norma Krayem. Former Securities and Exchange Commissioner Roberta Karmel said, “It’s kind of a recent trend that Congress seems to think federal security laws should cover absolutely everything that goes on in terms of the conduct at public companies.” [The HIll]

US – Regulator Criticized for Breach Response

In the wake of a breach during a regulatory exam, a federal banking regulator is getting a chilly reception to its plans to consider new rules related to encryption of data shared with examiners. Michael Fryzel, a former NCUA chairman, says consideration of a new encryption regulation is premature. Instead, the NCUA should focus on establishing a working group to review the agency’s security practices during examinations, he says. []


MB – Refusal to Release Info Revisited

The City of Winnipeg is rethinking its refusal to divulge part of the rationale for pursuing the $210-million Winnipeg police headquarters project. The ombudsman’s report grew out of a February 2014 Free Press request for information that led city officials to recommend purchasing the Canada Post building in 2009 and renovating it into a new police headquarters instead of fixing the Public Safety Building. The city denied access the following month, prompting the complaint to the ombudsman. After nine months of investigating, the ombudsman concluded while the city could invoke the “advice to a public body” exception, it did not provide any reason why it made that decision and predetermined its decision as a refusal. Mayor Brian Bowman made a campaign promise to stop the city from the frequent use of the discretionary exceptions as a means of denying access-to-information requests. []


WW – New DNA Technique May Reveal Face of Killer in Unsolved Double-Murder

There were no witnesses to the gruesome murder of a South Carolina mother and her 3-year-old daughter inside a busy apartment complex four years ago. But a new technology that can create an image of someone using DNA samples left at crime scenes might bring police closer to catching the killer. Reston, Va.-based Parabon Nanolabs, with funding from the Department of Defense, has debuted a breakthrough type of analysis called DNA phenotyping which the company says can predict a person’s physical appearance from the tiniest DNA samples, like a speck of blood or strand of hair. The DNA phenotyping service, commercially known as “Snapshot,” could put a face on millions of unsolved cases, including international ones, and generate investigative leads when the trail has gone cold. “Traditional forensic analysis treats DNA as a fingerprint, whereas Snapshot treats it as a blueprint — a genetic description of a person from which physical appearance can be inferred,” Greytak said. [Fox News] See also: [Surprise! With $60 Million Genentech Deal, 23andMe Has A Business Plan]

Health / Medical

CA – Confidentiality Agreement Handcuffs Assisted-Suicide Researcher

A professor who has successfully defended his right to protect the subjects of his research on assisted suicide wants to return to teaching at a university in Surrey, B.C., but a confidentiality agreement is blocking the way. Russel Ogden is drawing a yearly salary – more than $87,000 in 2014 – from Kwantlen Polytechnic University, but unable to teach or conduct research in its name since 2008 as a result of the deal he signed with the school. [The Globe and Mail]

Horror Stories

US – Park ‘N Fly Confirms Breach

Following a breach of its e-commerce website, Park ‘N Fly has been notifying “an undisclosed number of customers that their payment card information was exposed.” “Airport parking lots are attractive targets for fraudsters because they are often used by business travelers utilizing business or commercial credit cards,” the report states, quoting one card-issuer that noted such cards have “high lines, low decline rates and less scrutiny on a day-to-day basis by cardholders.” Park ‘N Fly is working with law enforcement and credit card issuers to investigate the incident, and those affected are being offered one year of free credit monitoring and identity protection services. [BankInfoSecurity]

US – NCUA Accepts Responsibility for Breach, Pays $50,000

The National Credit Union Administration (NCUA) announced that its board approved a payment of $50,000 to Palm Springs Federal Credit Union (PSFCU) to help cover expenses related to a data breach. In October, PSFCU notified its members that an unencrypted flash drive was lost when it was given to an NCUA examiner. The drive contained member names, addresses and Social Security numbers. NCUA, which at first faced criticism for not taking responsibility for the breach , now says it is “reinforcing training on protecting sensitive information and reviewing regulations, policies and procedures” and is considering adopting additional safeguards for electronic data. [Bank Info Security]

US – Heartland Provides Breach Warranty as Retail Encryption Need Grows

One of the country’s largest retail payment processors, Heartland Payment Systems, has announced it will offer a new breach warranty for users. The program will reimburse merchants that use Heartland for cost impacts from data breaches, the report states. Heartland Executive Director of Product Development Mike English said, “There is no bad time to ensure the businesses that process cards with us are safe … Hackers and criminals don’t wait until the busy times to breach a retail or restaurant network.” English also said the warranty also offers a “forensic audit by a PCI-certified Qualified Security Assessor.” [eWeek]

US – LinkedIn Account Credentials Targeted in Phishing Scheme

Attackers are using phony security alerts to steal LinkedIn account access credentials. The messages pretend to come from LinkedIn support staff saying that users must download an attachment that will tell users how to install an update. The attachment appears to be the LinkedIn website but it sends entered data to the attackers. Users can protect themselves by activating LinkedIn’s two-factor authentication. [] [SCMagazine]

US – US Military Social Media Accounts Hijacked

The Twitter and YouTube accounts of the US military’s Central Command (Centcom) have reportedly been hijacked by people claiming to be operating on behalf of Islamic State. Both accounts were temporarily suspended. Centcom has called the incident vandalism, and says it did not affect operations, nor was it a serious data breach. Some information about military personnel was posted, but it came from the Massachusetts Institute of Technology (MIT), not from military systems. The compromised accounts were taken offline. [BBC] [WIRED] [CNET] [SCMagazine] [NextGov] [ZDNet] [Washington Post]

US – United Mileage Plus Accounts Compromised

using logon information obtained from a third-party managed to access about 35 United Airlines Mileage Plus accounts and arranged free travel and upgrades. United was not the source of the breach; the access credentials were used in attacks against other companies as well. [ComputerWorld] [Washington Post]

US – Possible Breach of Chick-fil-A Payment Systems

According to information from several US financial institutions, fast-food chain Chick-fil-A may have experienced a payment system breach. The financial institutions note a pattern of fraud connected with payment cards used at the restaurants in the US. At one financial institution alone, nearly 9,000 cards appear to have been affected. Brian Krebs notes that in similar cases, the particular franchises affected were those that had outsourced point-of-sale system management to a third party. [Krebs] [DarkReading]

US – Morgan Stanley Employee Fired Over Alleged Customer Data Theft

Morgan Stanley has fired an employee for allegedly stealing customer data, including account access credentials, and offering them for sale online. The breach affected approximately 10% of the company’s 3.5 million wealth management customers. The employee had worked at Morgan Stanley since 2008. [Bloomberg] [NYTimes] [SC Magazine]

US – USPS Breach Affected Some Health Data

Additional details being released about the September 2014 intrusion of US Postal Service computers indicates that certain health information was compromised as well. The affected data are related to workers’ compensation claims. Because the compromised health data are not part of an insurance plan, the breach will not incur health data security fines. [NextGov]

Identity Issues

US – New York City ID Opens Doors — and Privacy Concerns

In New York City, Mayor Bill de Blasio made a pitch for a piece of plastic — a new ID card for New York City residents, regardless of immigration status. New Yorkers 14 and older can now join the largest municipal identification program in the country. De Blasio said renting an apartment, opening a bank account and entering a school building will now be easier for the city’s estimated half-million unauthorized immigrants. And the IDNYC program doesn’t leave out New Yorkers who already have ID. Here’s how the mayor sweetened the deal: “A free, one-year membership to 33 cultural institutions! That did get the attention of many New Yorkers,” he said. Los Angeles is preparing to roll out an ID similar to New York’s. They join cities like San Francisco; Oakland, Calif.; and New Haven, Conn., where only about 10 percent of the city’s population has applied since 2007. New York officials hope their program will be more widely adopted. [NPR] See also: [[US – A plan to put your driver’s license on your phone] and [National Post editorial board: Good riddance to carding]

US – Debra J. Farber: Identity Management’s Role in Data Privacy

UnboundID: What are the biggest challenges at organizations right now when it comes to protecting customer privacy? Farber: Companies are struggling to know exactly where their data is located, how many copies of that data exist, who has access to it, and for how long it is stored. They don’t have the staff to manually govern this. On top of this, there are varied laws depending on your industry and the states and countries where your business operates. Usually, there’s only a high-level business process understanding as to why data is collected, from which sources, and where it resides. There’s usually confusion about “ownership,” which means that nobody knows who should make decisions about personal data. Adding to the mix is that large organizations usually have legacy systems, which have not yet been decommissioned, but which are still collecting data. Generally, companies need to tighten their processes around data lifecycle management. With the movement toward big data, the tendency for many organizations now is to collect and store as much data as possible with the hopes that insights may be gleaned in the future. Though, from a privacy perspective, that’s a bad practice. Most privacy laws require a company to collect, store, and share personal data for a specific purpose. [UnboundID]

Intellectual Property

CA – Canadian VPN Services Could Be Forced to Alert Pirating Customers

It’s unclear if VPN services will be forced to keep customer records under Canada’s new Copyright Modernization Act. Virtual Private Network (VPN) services are legal and until now, believed to be completely unregulated in Canada, making them particularly popular for internet users interested in online privacy protection, accessing geolocked content via streaming services like Netflix and U.S.-only Hulu, or for those interested in more nefarious activities like piracy-focused Torrent downloading or criminal activity. However, new legislation, which went into effect on Jan. 1, doesn’t clearly state whether Canada’s Copyright Modernization Act pertains to VPN platforms in Bill C-11’s section 41.25 (a). An integral aspect of the new law requires internet service providers (ISPs) to relay copyright infringement allegations to customers (an act that has already been occurring for years), and to also keep a record of these allegations for six months in case the copyright holder makes the decision to take legal action. Over the next few years virtual private networks could potentially become significantly less private in Canada. []

Internet / WWW

US – Lawmakers Launch Congressional IoT Caucus

U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things (IoT). “Policy-makers will need to be engaged and educated on how we can best protect consumers while also enabling these new technologies to thrive,” DelBene said, adding, “It’s important that our laws keep up with technology, and I look forward to co-chairing the IoT caucus.” Issa, who chairs the Subcommittee on Intellectual Property, Courts and the Internet, said, “It’s critical that lawmakers remain educated about the fast-paced evolution of the Internet of Things and have informed policy discussions about the government’s role in access and use of these devices.” [Press Release] [U.S. Reps. Suzan DelBene (D-WA) and Darrell Issa (R-CA) have announced the creation of a new Congressional Caucus dedicated to the Internet of Things.]

US – FTC Chair Says Internet of Things Presents “Significant Privacy and Security Implications”

In a speech at the International Consumer Electronics Show in Las Vegas, US FTC chairperson Edith Ramirez warned that the Internet of Things (IoT) presents “significant” privacy issues. The billions of connected device collect, store, and in some cases transmit data. Ramirez urged companies to make security a part of their product development process, to collect the minimum amount of data necessary, and to notify consumers of unexpected use of their data and provide simplified choices regarding this use. [BBC] [Ars Technica] [] [Text of speech]

US – Cullen Joins Accountability Foundation to Work on “Accountability 2.0”

The Information Accountability Foundation (IAF), a nonprofit organization headed by Marty Abrams, announced this week that Peter Cullen, formerly GM and chief privacy strategist for Microsoft’s Trustworthy Computing Group, is joining the organization as executive strategist, policy innovation. He will be tasked with leading the IAF’s work “in developing a Holistic Governance Policy Model,” which Abrams called “an essential building block of Information Accountability 2.0 .” [Full Story]

WW – Surveys and Predictions 2015 Roundup

[Top Tech News: The Future of Your Privacy Doesn’t Look Good | Pew Internet Report] [Experts say privacy soon to be a ‘luxury’] [EFF: 2014 in Review: Mobile Privacy and Security Takes Two Steps Forward, One Step Back] [Harvard Business Review: The Tech Trends You Can’t Ignore in 2015]

Law Enforcement

US – Body-Worn Camera Plans Have Residents Worried

L.A. residents’ have privacy concerns over proposed body cameras for Los Angeles Police Department (LAPD) officers. The plan is for nearly 900 cameras to be issued in the first quarter of the year, which will record interactions between LAPD officers and members of the public. The LAPD is one of many police departments considering such a measure. Meanwhile, city police officers in Pittsburgh are required to sign a policy forbidding them from releasing information to the public without authorization. Releasing the information could result in termination. Editor’s Note: The IAPP will host a web conference on January 30 from 1 to 2:30 p.m. EST on Law Enforcement Use of Body-Worn Cameras. [NBC] See also: [North Dakota State Rep. Kim Koppelman (R-West Fargo) has introduced a bill that would exempt images from police-worn body cameras from open records requirements]

US – Spokane: Police Body Camera Pilot Ends; Review and Implementation Next

A four-month pilot program to outfit Spokane police officers with body cameras will formally come to an end this week, but little is expected to immediately change in the department’s day-to-day use of the cameras. Officers who began wearing the cameras during the pilot will be able to continue wearing them on a volunteer basis going into 2015, said Tim Schwering, director of the department’s Office of Professional Oversight. Additional officers may also elect to begin wearing cameras. Over the next several months, he said, police will review use of the cameras and work to develop estimates on the video storage capacity and staff time to respond to record requests that a full body camera program would require. The department also will create a permanent policy governing camera use and will create a stakeholder commission to help with that process, Schwering said. He said the policy will be revised and updated to reflect any forthcoming changes in state law addressing video footage and public records. Once the pilot program has been reviewed, Schwering said, cameras will be phased in for patrol officers gradually, with the goal of outfitting all patrol officers by the end of 2015. [The Spokesman-Review]

US – FBI Says Warrants Not Necessary to Use Stingray in Public

US Senators are questioning the FBI’s use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern “about whether the FBI and other law enforcement agencies have adequately considered [American’s] privacy interests,” and seeking additional information on the technology’s use. [Ars Technica] [Washington Post]


US – Plans to Deploy Drones Draws Backlash

A move by law enforcement agencies in the San Francisco Bay Area to deploy drones has provoked a privacy backlash. The University of California, Berkeley, would be one of the places subject to drone monitoring. “Berkeley and the Bay Area have a long history of political discussion, protests and debate, and there’s a real concern around the use of these drones under those circumstances and the broader privacy issues,” said Jesse Arreguin of the Berkeley City Council. The ACLU has released a model ordinance for municipal drone use “that would require notifying the public and developing a policy for how the device is used, what data it collects and keeps and who can access it,” the report states. [Bloomberg] [DOD wants to build drones that can buzz into bad guys’ doorways]

Online Privacy

US – Ad Company Using Verizon Tracking Header

An advertising company appears to be using Verizon unique identifier token headers (UIDH) to track users’ online behavior. Clearing cookie caches will not prevent this tracking. [ComputerWorld] [The Register] [PC World]

WW – Report: New Super Cookies Can Even Track Your Privacy-Mode Browsing

A chink in the HTTP Strict Transport Security protocol makes it possible to fingerprint users who browse sites, even when they’re using a privacy mode like Chrome’s Incognito Browsing. HTTP Strict Transport Security is usually used to ensure that users only interact with the correct servers when using HTTPS connections, by flagging how one type of encryption should be used for all future interactions. But security researcher Sam Greenhalgh has used the feature to create a new tool called HSTS Super Cookies. Just like normal cookies, they fingerprint a user when they’re browsing without a privacy feature turned on, so they can be used to identify them at a later date. But these new cookies are visible even when using privacy modes, and can also be read by websites from multiple domain names, not just the original provide. Combined, that means that these super cookies will allow any number of websites to track a users movements on the web, even when they’re using a private browsing mode. [Gizmodo]

Privacy (US)

US – 75 Companies Sign Pledge, But Google’s Not One

Google’s has decided not to sign the Student Privacy Pledge created by the Future of Privacy Forum (FPF) and endorsed by President Barack Obama, who said , “If you don’t join this effort … we intend to make sure those schools and parents know you haven’t joined this effort.” Google has said its “contracts and policies demonstrate a commitment to student privacy,” the report states. FPF’s Jules Polonetsky said Google agrees with “the substance of the commitments listed in the pledge,” noting the pledge is one way to convey how companies use student data, “But certainly it’s not the only way … Some companies may choose privacy seals or prominent privacy policy statements or other ways to communicate and self-regulate.” [The Wall Street Journal]

US – FTC Casebook Tool Unveiled by Westin Privacy Research Center

After a great deal of work, the IAPP Westin Research Center has launched its casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions (for now) and making them easily accessible, full-text searchable, tagged, indexed and annotated. To help users better understand the benefits and functionality of this tool, they have developed several use cases displaying how users might search the casebook and make use of the results.

US – New Data Breach Preparedness, Response Guidance

New to the IAPP Resource Center is the Washington Legal Foundation (WLF) Monograph Data Security Breaches: Incident Preparedness and Response. Authored by Jena Valdetero, and David Zetoony of Bryan Cave LLP with a forward by Federal Trade Commissioner Maureen Ohlhausen, the handbook provides a basic framework to assist in-house legal departments with handling a security incident. It explains security incidents, outlines ways in-house counsel can help prepare for an incident and offers steps that should be taken in responding to an incident as well as costs involved. “I believe this WLF Monograph will be a useful reference for in-house counsel as they prepare for and encounter security incidents,” Ohlhausen writes. [Full Story]

The IAPP’s Westin Research Center released the FTC Casebook, in which all FTC complaints and consent decrees and attendant documents are searchable by keyword, tag or case home page.

Privacy Enhancing Technologies (PETs)

WW – Google Patents Method for Enabling Private Browsing Automatically

While users who want to browse the Internet incognito usually must explicitly enable their browsers’ privacy settings to avoid being tracked, a new technology from Google may soon eliminate the step. The company has been granted a U.S. patent for a method that would allow private browsing automatically via certain websites. Browsers equipped with the technology would be able to tell when the website’s content might prompt users to opt for private browsing, the report states. Google’s description of the service says, “The privacy mode can be enabled to prevent storage of webpage user information generated as the user browses the webpage.” [eWeek]

US – Wearable Start-Up Raises $16M in Funding

A San Francisco-based healthcare start-up has raised $16 million in venture capital funding—$23 million in total funding—to bring Google Glass into the healthcare world. Augmedix uses the wearable technology to minimize the amount of time clinicians spend with electronic health records to increase the time spent with patients. The company’s chief executive officer said, “In terms of economic impact, we’ve repeatedly shown that our service effectively turns three doctors into four.” [Healthcare IT News]

US – Mining Your Genes

Fusion reports on the potential for pharmaceutical companies to mine people’s genes. “Imagine a world where genetic sequencing is free, like Gmail,” the report states. “That’s where we’re headed.”

US – On the Importance of Building Privacy Into Apps and Reddit AMAs

Massachusetts Institute of Technology’s Jean Yang and her team are working on Jeeves, a framework for programmers to implement privacy policies directly into the code. “If it works as foreseen—and there is still a lot to do around performance—a developer could write policies—who can see what and when—right into the application,” the report states. For example, an app might share GPS data only when the user is in a given ZIP code. [GigaOM]


WW – This is the Cyberattack that Keeps Edward Snowden Up At Night

In an interview with James Bamford published by NOVA, Edward Snowden said that when it came to cyber warfare, the United States has “more to lose than any other nation on earth.” And he’s not just talking about attacks on systems with obvious effects on the physical world, but the potential fallout of attacks aimed at crippling the Internet itself. The United States is among the most digitally reliant nations out there, which opens up more avenues for cyberattacks. [The Washington Post]

WW – Majority of PHP Installations are Unsecure

More than three-quarters of PHP installations contain at least one security issue. Other software packages were found to contain flaws as well: 38 percent of sites running Apache web server were found to be unsecure, as were 36% of sites running Nginx, 22% of sites running Python, and 18% of sites running Perl. [The Register] [IRC Maxwell]

Smart Cars and Devices

WW – BMW Sounds Alarm Over Tech Companies Seeking Connected Car Data

BMW says technology companies and advertisers are putting increasing pressure on carmakers to hand over data collected by connected cars, “underlining the fine line being taken by the automotive industry between functionality and privacy.” BMW’s Ian Robertson said every car the company makes now offers some kind of wireless connectivity and there’s plenty of people saying, “Give us all the data you’ve got and we can tell you what we can do with it … and we’re saying ‘No thank you.’” Robertson said the data cars can collect now is as granular as being able to detect whether a child is in the car based on weight sensors. [The Irish Times]

CN – Even China’s Academy of Science thinks wearables are privacy problem

Researchers from the Chinese Academy of Sciences, the Australian National University, Dakota State University, Sydney University and Australia’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) have looked over the state of play in the Internet of Things, and find that concern for privacy is lacking. Their paper at Arxiv notes that the current enthusiasm for wearables involves consumers handing over far more data (much of it highly personal and sensitive) than the mere boat-loads of data collected by outfits like Facebook. The paper offers a summary of areas the group says research is needed to develop both technologies and behaviours to protect user privacy in the IoT era. Problems highlighted by the report include:

  • User consent – somehow, the report says, users need to be able to give informed consent to data collection. Users, however, have limited time and technical knowledge.
  • Freedom of choice – both privacy protections and underlying standards should promote freedom of choice. For example, the study notes, users need a free choice of vendors in their smart homes; and they need the ability to revoke or revise their privacy choices.
  • Anonymity – IoT platforms pay scant attention to user anonymity when transmitting data, the researchers note. Future platforms could, for example, use TOR or similar technologies so that users can’t be too deeply profiled based on the behaviours of their “things”. [The Register]


WW – Paris Attacks Prompt Call for Intelligence-Sharing

Following the terrorist attacks in Paris, EU interior ministers pledged to increase intelligence-sharing, while data regulators warn surveillance programs under consideration must strike the right balance between privacy and security, Bloomberg reports. German Chancellor Angela Merkel has said she will press for new EU rules on data retention to help in the fight against terrorism; UK Prime Minister David Cameron says he will urge U.S. President Barack Obama to pressure Internet firms to cooperate more with intelligence agencies tracking the online activities of extremists, and European Council President Donald Tusk “has implored MEPs to accept the creation of a single, shared database of personal information on air passengers arriving in, or leaving, the EU.” Meanwhile, the European Commission said Monday it does not plan to launch an EU-wide intelligence agency. [Full Story]

US: FBI Says Search Warrants Not Needed to Use “Stingrays” In Public Places

The Federal Bureau of Investigation is taking the position that court warrants are not required when deploying cell-site simulators in public places. Nicknamed “stingrays,” the devices are decoy cell towers that capture locations and identities of mobile phone users and can intercept calls and texts. The FBI made its position known during private briefings with staff members of Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Sen. Chuck Grassley (R-Iowa). In response, the two lawmakers wrote Attorney General Eric Holder and Homeland Security chief Jeh Johnson, maintaining they were “concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests” of Americans. According to the letter, which was released last week: “For example, we understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.” [Slashdot] See also: [Hacked emails reveal China’s elaborate and absurd internet propaganda machine]

US – F.B.I. Is Broadening Surveillance Role, Report Shows

Although the government’s warrantless surveillance program is associated with the NSA, the FBI has gradually become a significant player in administering it, a newly declassified report shows. In 2008, according to the report, the F.B.I. assumed the power to review email accounts the N.S.A. wanted to collect through the “Prism” system, which collects emails of foreigners from providers like Yahoo and Google. The bureau’s top lawyer, Valerie E. Caproni, who is now a Federal District Court judge, developed procedures to make sure no such accounts belonged to Americans. Then, in October 2009, the F.B.I. started retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. And in April 2012, the bureau began nominating new email accounts and phone numbers belonging to foreigners for collection, including through the N.S.A.’s “upstream” system, which collects communications transiting network switches. That information is in a 231-page study by the Justice Department’s inspector general about the F.B.I.’s activities under the FISA Amendments Act of 2008, which authorized the surveillance program. The report was entirely classified when completed in September 2012. But the government has now made a semi-redacted version of the report public in response to a Freedom of Information Act lawsuit filed by The New York Times. The Times filed the lawsuit after a wave of declassifications about government surveillance activities in response to leaks by the former intelligence contractor Edward J. Snowden. []

US – Citizenfour Earns Oscar Nod; Snowden Talks from Moscow

It’s just been announced that Citizenfour, the documentary portraying the Snowden disclosures, has been nominated for an Oscar. Eric Jones reviews the film, noting it refrains from any narrative defense of Snowden’s actions and instead reveals Snowden’s slowly developing apprehension and also his lack of panic or regret. “The net effect is a sympathetic portrayal of a man, misguided or not, who views himself as doing the right thing and is only in this moment seeing the monumental consequences of his actions,” he writes. Meanwhile, James Bamford of PBS has published an interview with Snowden from Moscow on cyberattacks. [Privacy Advisor]

WW – Welcome to ‘Uber-Veillance’ Says Australian Privacy Foundation

Regulators are way behind the game when it comes to wearable and IoT privacy, and users are willingly conspiring with companies that don’t care about them to help create a society of “uber-veillance”. That’s the grim conclusion reached by Australian Privacy Foundation (APF) board member and University of Wollongong researcher Katina Michael in conversation with The Register. []

WW – Ex MS Privacy Head Had Warned of Cloud Spying, But Lost His Job

Two years before Snowden in 2011, Microsoft’s then Chief Privacy Officer Caspar Bowden tried to warn his company that any cloud computing solutions sold to foreign governments would mean unlimited mass surveillance on their clients by the NSA. Two months later Bowden was fired from Redmond. [NetworksAsia]

Telecom / TV

US – Mayer Identifies Zombie Cookies

The latest technological find in the device-tracking landscape is ominously called “zombie cookies.” Initially discovered by Stanford’s Jonathan Mayer, zombie cookies stem from a “hidden undeletable number“ placed on users of Verizon smartphones and tablets and used by advertising company Turn. The Verizon number is used “to respawn tracking cookies that users have deleted,” the report states. Turn Chief Privacy Officer Max Ochoa said, “We are trying to use the most persistent identifier that we can in order to do what we do.” Verizon’s “perma cookie” caused a stir in the news last year, and AT&T dropped a similar ID number after those reports surfaced. In a blog post, Mayer wrote that given the tracking practice, “I think there’s also a good FCC, FTC or state deception case against Verizon.” [ProPublica]

US – EFF Wants Verizon to Ditch Tracking Technology

The Electronic Frontier Foundation (EFF) is urging Verizon Wireless to ditch a tracking technology that allows ad networks to collect data and send targeted ads to mobile users even in cases in which the user has tried to avoid tracking by deleting cookies. “It is clear that Verizon does not understand the privacy risks it is imposing on customers,” the EFF said. Verizon’s tracking system, which came to light last November, allows third-party advertisers to develop a “deep, permanent profile” of web-browsing habits. “Going forward, the company should undertake to obtain genuine prior, informed consent for any future tracking activities,” the EFF said. [MediaPost]

UK – ‘Burglar’s Shopping List’ Security Flaw Fixed

An online service recommended by most of the UK’s police forces has fixed a privacy flaw after being alerted by a security expert. Immobilise allows members of the public to add records to the National Property Register, detailing valuables in their homes. But security consultant Paul Moore discovered a flaw that made it possible to access other people’s records. Recipero, operators of Immobilise, said it had fixed the vulnerability. [BBC News]

US Government Programs

US – NSA to Begin Internship Program This Fall

The NSA will begin accepting applications this fall for its first privacy and civil liberties internship program. At least one student will be chosen for the 2016 summer program to work in the NSA’s newly created Civil Liberties and Privacy Office, the report states. NSA Director of Civil Liberties and Privacy Rebecca Richards said interns are an opportunity for her office. “Exposing the agency to newly minted college grads as well as exposing those newly minted college grads to what the agency does can only bring benefits to this conversation” around NSA surveillance practices, Richards said. [Fedscoop]

US Legislation

US – Obama Lays Out Legislative Proposals

President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors. Specifically, the private sector is encouraged to share threat data with the Department of Homeland Security (DHS). Additionally, the proposal includes modernizing law enforcement authorities by providing tools to fight cybercrime—including the sale of botnets, stolen credit card data and malware. The Center for Democracy & Technology’s Harley Geiger said the proposal includes further privacy-protecting measures than the Cyber Intelligence and Sharing Act, but it “allows companies to share user information with the (DHS) regardless of any privacy law” and allows the DHS to share with other law enforcement “for purposes unrelated to cybersecurity.” [Full Story]

US – Obama Releases Breach Bill Text; NY AG Proposing Data Security Bill

The Obama administration has released the text of its proposed data breach notification bill. While the proposal would strip states of the ability to make their own rules, state AGs could still keep pressure on companies by using state laws that aren’t preempted by the measure. Meanwhile, New York Attorney General (AG) Eric Schneiderman said he will propose legislation to make the state’s data security law the strongest in the country, and Schneiderman and 18 other state AGs have asked JP Morgan for more evidence on last year’s data breach. And The Hill reports credit unions want Congress to create a bipartisan working group to address the ongoing rash of data breaches. [Law360]

US – Obama Wants Breach Disclosure Law

President Obama is asking legislators to pass a bill that would require companies to disclose data security breaches that expose customer data within 30 days. The move is a response to recent breaches that have compromised the personal information of millions of people. Obama also wants the bill to include a provision prohibiting companies from selling students’ information to third party companies. [DarkReading] [TheRegister] [ComputerWorld] [CNET] [President Barack Obama announced a new legislative proposal to enable cybersecurity information-sharing between the public and private sectors] [The Hill reports on comments made by Rep. Zoe Lofgren (D-CA) on the Cyber Intelligence Sharing and Protection Act, saying its “astonishingly broad and overly vague information-sharing regime does more harm than good when it comes to Americans’ privacy.” [Reed Freeman, IAPP Privacy Perspectives] [US – Obama’s Data-Breach Initiative Has Privacy Advocates Optimistic, Cautious] and [After a long delay, Obama declines to fire U.S. attorneys over Aaron Swartz’s suicide]

US – Senator to Introduce Breach Bill; Business Happy with Obama Proposal

Sen. Bill Nelson (D-FL), the ranking member on the Senate Commerce Committee, will soon introduce a data breach notification bill that closely resembles a proposal President Barack Obama called for during his speech Monday. “Now is the time Congress must act,” Nelson said. Meanwhile, NationalJournal reports business groups and Republicans are cheering rather than jeering Obama’s proposal, largely because it would uncomplicate the patchwork state laws businesses must now comply with, but Nextgov asks the question: why wouldn’t the legislation apply to government agencies? [The Hill]

US: New Tennessee Law Protects Employees’ Online Privacy

Now that 2015 is here, the new year means lots of new laws take effect in Tennessee. That includes a change that protects employees’ private information on Facebook, Twitter, and other social media accounts from nosy bosses. Tennessee now joins a list of dozens of states that have passed an Employee Online Privacy Act. McCarty says it protects people who make their online settings private, not the information someone shares with the entire world wide web. The new law says employers cannot force an employee or job applicant to provide access to private information. There are some exceptions that allow employers to pry, such as social media accounts that are specifically for work and identified as affiliated with an employer. [WBIR TV]

US: Delaware’s New Laws: Privacy Protection, Digital Assets

As of midnight Jan. 1, new Delaware laws went into effect to protect the privacy of consumer information; allow access to digital assets of an incapacitated family member; require new disclosure around campaign contributions; and require notice of cancellation of an insurance policy. [The News Journal]

US: Illinois Passes New ‘Revenge Porn’ Law That Includes Harsh Penalties

Illinois became the latest state to criminalize “revenge porn,” crafting what its creators hope will become a model for federal legislation. Gov. Pat Quinn signed a measure making the “non-consensual dissemination of private sexual images” a felony offense in Illinois. The new “revenge porn” law goes into effect June 1, 2015, and will punish offenders with one to three years in prison and up to a $25,000 fine. [Huffington Post]

US – N.D. Bill on Teacher ‘Privacy’ Introduced

A bill introduced to the State Legislature would restrict access to school district records and is the latest in a trio of bills aiming to exempt certain information from the state’s open records laws. Senate Bill 2153 would seal relevant records in a school district employee’s file should that employee be charged with a crime in district court. The records would become publicly available after the criminal complaint against the employee was resolved. The bill is the third this legislative session to attempt to create exemptions to the state’s open records laws. Senate Bill 2133 would remove university students’ email, home and mailing addresses, as well as phone numbers, from the public record. The bill, introduced Tuesday, is a reaction to a mass open records request for students’ contact information by Odney Advertising, which consults for the Republican Party. Senate Bill 2134 would allow the State Board of Higher Education to discuss in private the hiring or firing of a chancellor. It would also make confidential all records used to prepare performance evaluations of top education officials. [The Bismarck Tribune] See also: [US – Teen’s computer-privacy tussle with his Wayzata school goes viral]

Workplace Privacy

UK – BBC Accused of ‘Spying’ After 150 Staff Emails Accessed or Monitored

The BBC has been accused of “spying” on its own staff after it was revealed that nearly 150 staff email accounts were accessed or monitored over the past two years. In response to a Freedom of Information request from the Press Gazette, the BBC said 37 staff email accounts had been monitored because of leak investigations in 2013 and 2014. Other staff accounts had been looked into as a result of a variety of complaints and inquiries, including allegations of fraud, assault, harassment and disciplinary cases. Michelle Stanistreet, general secretary of the National Union of Journalists, said: “The BBC has previously denied any significant monitoring of staff email accounts, and only in criminal or disciplinary investigations, but these figures cast doubt on that explanation and the NUJ will work with our network of reps to get to the bottom of the kind of spying that has been taking place.” [The Guardian]


16-31 December 2014


WW – Hacker Clones Politician’s Fingerprint from Photos

Chaos Computer Club’s Jan Krissler said he successfully replicated the fingerprint of a German politician by using commercial software and several photos taken during a press conference. Krissler said, “politicians will presumably wear gloves when talking in public.” Prof. Alan Woodward noted, “Biometrics that rely on static information like face recognition or fingerprints—it’s not trivial to forge them, but most people have accepted that they are not a great form of security because they can be faked,” adding, “People are starting to look for things where the biometric is alive—vein recognition in fingers, gait analysis—they are also biometrics, but they are chosen because the person has to be in possession of them and exhibiting them in real life.” [BBC News] [Hacker claims you can steal fingerprints with only a camera]


CA – Most Canadians Trust Government to Protect Their Privacy: Poll

According to a survey by Environics Institute and the Ottawa-based Institute on Governance (IOG), most Canadians are reasonably confident the federal government is protecting the personal information it collects about them, and support the idea of sharing that data between departments to improve service. And they accept government surveillance on Canadians for national security as “important” — unless it applies to them. That’s when the majority feel government snooping on their phone records and Internet activity would be a violation of privacy. The survey found 9% of those asked strongly agreed with the notion that the government is “adequately” protecting the personal information it gathers when they fill out their taxes, apply for a passport, cross a border or apply for employment insurance. 48% “somewhat” agreed; 31% aren’t very confident and 12% say they aren’t at all confident that their privacy is protected. [National Post] see also [Schneier: Over 700 Million People Taking Steps to Avoid NSA Surveillance]

CA – Canada: $7,500 In Damages Awarded for Intrusion Upon Seclusion

In McIntosh v Legal Aid Ontario, Superior Court Justice Cornell awarded the plaintiff damages of $7,500 after finding a breach under the relatively new tort of intrusion upon seclusion. This tort was first recognized in Ontario in Jones v. Tsige, 2012 ONCA 32 (CanLII), in which the Court of Appeal for Ontario allowed a civil action for damages for the invasion of personal privacy in Ontario and awarded the plaintiff $10,000 in damages. [Lexology]

CA – Ontario Liberals Paid $10,000 to Have Gas Plant Data Erased: OPP

IT consultant Peter Faist, who is the spouse of former Ontario premier Dalton McGuinty’s deputy chief of staff, was paid $10,000 by the Liberal caucus to wipe data off approximately 20 government computers, police claim. The allegation, unproven in court, comes from an Ontario Provincial Police Information to Obtain document released by the Ontario Superior Court on Thursday. The document was used to get a search warrant, which was executed at a government office in late November.The data Faist is said to have deleted relates to the cancellation of two gas plants in the Toronto-area prior to an election campaign. Police suspect the data were internal email conversations regarding the cancellation of the gas plants. David Livingston, McGuinty’s chief of staff, is accused of ordering the deletion of the emails. [CBC News]

CA – Canada Revenue Agency Destroys Staffers’ Texts

The Canada Revenue Agency has destroyed all text message records of its employees and has disabled logging of these messages in the future. Emails, released through access to information legislation, reveal that Shared Services Canada, the federal organization responsible for information technology services, destroyed the records in the middle of a business day in August. The Canada Revenue Agency has confirmed that it instructed the organization to destroy those records and also no longer log the instant messages, including PINs, BBMs and regular texts, going forward. “Since SMS and BBM messaging are non-secure, transitory methods of communication are used only for routine and nonbusiness related purposes; there is no requirement to maintain the transitory information,” said Philippe Brideau, a CRA spokesman. [Toronto Star]

CA – Alberta Amends PIPA to Address Concerns Between Freedom of Expression and Privacy

Alberta’s amendments to the Personal Information Protection Act have narrowly addressed the Supreme Court of Canada’s concerns about the appropriate balance between freedom of expression and rights to privacy, leaving a number of larger questions to another day. [Lexology] SEE ALSO Michael Geist offers an alphabet of Canadian tech policy in this report.

CA – RCMP Broke Privacy Laws by Sharing Medical Histories of Officers: Report

The RCMP committed a “serious privacy breach” and broke federal privacy laws when it shared sensitive medical information about five of its officers while throwing accusations at their psychologist, according to a privacy commissioner’s report written last month. The five Mounties went to the Office of the Privacy Commissioner of Canada two years ago, after discovering the RCMP had submitted portions of their personal medical histories to the College of Psychologists of B.C. [National Post]

CA – Ontario Fails to Track Complaints Against Crown Attorneys

Ontario’s Ministry of the Attorney General has no idea how many complaints have been lodged against its nearly one thousand prosecutors from across the province, or how many have been disciplined for misconduct in recent years. The lack of organized, accountable oversight, legal observers say, marks a “failure” by the government to properly scrutinize complaints against its Crown attorneys: public servants responsible for making important decisions such as who to prosecute for crimes and recommending sentences for those found guilty. [Mississauga News]

CA – Future Saskatchewan Licences to Prevent Fraud]

SGI is looking to add facial recognition services to their future driver licences and identification cards to help prevent fraud. With SGI’s current five-year contract for driver’s licence and identification card production expiring in 2016, SGI is asking vendors to offer their proposal for a contract by Feb. 13, 2015. “In addition to proposals for regular driver’s license production services, were also asking for proposals for facial recognition services,” said Kelley Brinkworth, manager of media relations for SGI communications. [Moose Jaw Times Herald]

CA – Ontario Privacy Commissioner Slams Hospital’s Lax Privacy Controls

More than a year after discovering a massive privacy breach, Rouge Valley Hospital still has no way of finding out whether any confidential patient records have been inappropriately accessed, Ontario’s privacy watchdog revealed. An investigation by the privacy commissioner found the hospital’s computer system preserves only two weeks of user history. It was only after one careless employee admitted to stealing records and another left patient information in a printer that the privacy breaches were discovered. Privacy Commissioner Brian Beamish ordered Rouge Valley to overhaul its system so that all access to patient files can be tracked. He also ordered the hospital to improve confidentiality training and privacy breach management procedures. He has given the hospital until Sept. 16, 2015, to comply, but declined to name the people or financial institution involved in the breach. This summer, Rouge Valley revealed that two employees had accessed the records of more than 14,000 mothers who gave birth there between 2009 and 2013, so as to sell them Registered Education Savings Plans (RESPs). [Toronto Star]


WW – UN Approves Privacy Resolution in Major Victory for Human Rights

The UN General Assembly formally approved a major resolution on the right to privacy, by consensus. The resolution spotlights the privacy violations that are enabled by advances in technology, overbearing government surveillance, and corporate complicity. As communications have gone global, so too must privacy protections. Privacy rights limited by national borders are increasingly meaningless. As detailed in November, this resolution contains strong language that definitively places mass surveillance under international human rights law. The Human Rights Council has a chance in March to follow through and create a permanent mechanism to safeguard the right to privacy at an international level. The resolution calls for a permanent office on the right to privacy. For that to happen, though, the Human Rights Council in Geneva will have to take action in March by creating a new “special rapporteur” on the right to privacy. If so, in 2015, the world will have its first independent authority examining and promoting the right to privacy with the power to admonish governments for violations. [AccessNow]

WW – The Privacy and Security Winner and Loser Was the User in 2014

In last year’s “unofficial contest to determine computer security and privacy winners and losers,” the award goes to “you, the user,” Kim Zetter writes, with “a host of new products and services … to help protect the privacy and security of your data and communications” and court rulings providing “better protection against the warrantless seizure of your data.” But, the user was also the loser, Zetter notes, with reports suggesting spy agencies across the globe “will not rest until they’ve seized or deciphered every bit of your data.” Zetter lists privacy and security’s other winners and losers: Apple, WhatsApp, the Florida Supreme Court, U.S. Supreme Court, Yahoo and Google Project won, while Sony, President Barack Obama, the U.S. Marshals, Verizon and Gamma International lost. [WIRED]

US – Pew Research Reports on the Future of Privacy

The Pew Research Internet Project has released a new study on the future of privacy. The survey interviewed more than 2,500 experts in conjunction with Elon University’s Imagining the Internet Center and found a split in what respondents think 2025 will look like. For example, 45% said there would likely be “a secure, popularly accepted and trusted privacy-rights infrastructure by 2025,” while the remaining 55% said there are not enough incentives for governments or industry to create such an infrastructure. Stanford University Prof. Paul Saffo said, “Privacy has already shifted from being a right to a good that is purchased.” [Pew Research] and [Experts believe digital privacy may be entirely gone by 2025] and [US: Data privacy important to farmers, study shows]


US – Possible Breach Affects Files of 40,000 Federal Workers

The data of more than 40,000 federal employees may have been compromised in a cyberattack on federal contractor KeyPoint Government Solutions. The Office of Personnel Management (OPM) has started notifying affected workers and will offer free credit monitoring. KeyPoint specializes in background screening and investigations of federal workers and is the second such company to be breached this year. A representative for the OPM said officials concluded an investigation into the incident, finding “no conclusive evidence to confirm sensitive information was removed from the system” and that “Keypoint has worked closely with OPM to implement additional security controls.” [Associated Press]


US – Mediation Attempt in Yahoo Case Fails

U.S. District Court Judge Lucy Koh received this week a status report saying a class-action lawsuit between web users and Yahoo could not be resolved through out-of-court mediation. The plaintiffs argue that Yahoo “violates the federal Electronic Communications Privacy Act by intercepting emails and scanning them for keywords.” Koh rejected Yahoo’s bid to get the lawsuit dismissed earlier this year, but has yet to rule on whether the case can move forward as a class-action. [MediaPost]

EU – Ireland Chimes in on Microsoft Data Privacy Case

Ireland has filed a friend-of-the-court brief in support of Microsoft’s refusal to provide the US government with customer email held on a server in Ireland. The document asks the US to respect Ireland’s sovereignty. Microsoft maintains that the US’s Electronic Communications Privacy Act (ECPA) stored communications provisions are not applicable outside US borders. The data pertain to a criminal case in the US. [CNET] [Why Microsoft, Apple, Fox News and NPR Are Suddenly Working Together] [Tech Giants Rally Around Microsoft to Protect Your Data Overseas]


US – Snowden Leak Shows Which Encryption Agencies Can’t Crack

The latest leak from Edward Snowden details how the U.S. National Security Agency (NSA) and the UK GCHQ have undertaken efforts to “crack all types of encrypted Internet communication.” The leaks did reveal which encrypted services the NSA could not break, including Tor, Truecrypt and PGP. [Der Spiegel]

WW – Google Plans to Warn Chrome Users on All HTTP Connections

Google plans to flag all HTTP traffic as unsecure in its Chrome browser.Chrome users will see alerts when they attempt to visit HTTP sites. Google plans to implement the change in 2015. [The Register] [BBC] [eWeek]

EU Developments

EU – Commission Releases 2015 Agenda; Privacy Bridges Project to Release Consensus Report

The European Commission made public its work agenda for 2015. High on the list is the ongoing effort to break down national barriers to create a digital single market. The commission aims to keep pushing for new telecom legislation including provisions on net neutrality; new data protection rules and a long-term digital strategy for the years ahead, among other goals. Meanwhile, the University of Amsterdam and the Massachusetts Institute of Technology have issued a press release about two